This attack is possible because most email clients allow CSS to be used to style HTML emails. When an email is forwarded, the position of the original email in the DOM usually changes, allowing for CSS rules to be selectively applied only when an email has been forwarded.
An attacker can use this to include elements in the email that appear or disappear depending on the context in which the email is viewed. Because they are usually invisible, only appear in certain circumstances, and can be used for all sorts of mischief, I’ll refer to these elements as kobold letters, after the elusive sprites of mythology.
This affects all types of email clients and webmailers that support HTML email. So pretty much all of them. For the moment, however, I’ll focus on selected clients to demonstrate the problem, and leave it to others (or future me) to extend the principle to other clients.
Oh yea. If you give one tiny iota about your privacy you do not enable images on emails. I went back to text-only email by default about 10 years ago....don't miss any 'rich' features.
Oh yea. If you give one tiny iota about your privacy you do not enable images on emails. I went back to text-only email by default about 10 years ago....don't miss any 'rich' features.
All emails from Orange, my ISP, are nothing more than the privacy footer and an image. It's infuriating, because you don't know if they're notifying you of a problem (service outage, etc.) or...
All emails from Orange, my ISP, are nothing more than the privacy footer and an image. It's infuriating, because you don't know if they're notifying you of a problem (service outage, etc.) or sending you an advert (90% of this time it's an ad) until you let them load the image. Having images proxied is just the sort of solution I need to mitigate their bs practices.
The laws don't apply to large corporations in the same way they do to individuals. Orange, for example, also flout the law on accepting payments from non-domestic European bank accounts (it's...
The laws don't apply to large corporations in the same way they do to individuals. Orange, for example, also flout the law on accepting payments from non-domestic European bank accounts (it's called "IBAN discrimination". I reported them, and nothing happened. Corporations don't care and are rarely held accountable.
From the blog post:
Rich email has had problems but this is considerably more fun than the dead horse that is remote asset loading.
In the end it will betray you.
Oh yea. If you give one tiny iota about your privacy you do not enable images on emails. I went back to text-only email by default about 10 years ago....don't miss any 'rich' features.
Protonmail proxies the images (and I'm sure does a ton of other privacy enhancements).
All emails from Orange, my ISP, are nothing more than the privacy footer and an image. It's infuriating, because you don't know if they're notifying you of a problem (service outage, etc.) or sending you an advert (90% of this time it's an ad) until you let them load the image. Having images proxied is just the sort of solution I need to mitigate their bs practices.
If important customer communications can’t be read by assistive technologies, it sounds to me like they’re due for an accessibility lawsuit.
The laws don't apply to large corporations in the same way they do to individuals. Orange, for example, also flout the law on accepting payments from non-domestic European bank accounts (it's called "IBAN discrimination". I reported them, and nothing happened. Corporations don't care and are rarely held accountable.