If you send an HTML email to somebody and include certain HTML tags which load remote content from your web server, you can tell if they’ve read the message by checking your web logs. This is a privacy hole. Email clients can be configured to not automatically load remote content, which is why you sometimes see a button in your email client saying something like “load images.” In fact, because it’s a serious hole in privacy, a lot of email clients don’t load remote content by default. Apple Mail does load remote content by default for reasons I can’t imagine. However, that is not the problem I have found. The problem I have found, is that even if you uncheck the “Display remote images in HTML messages” option in the Apple Mail preferences, it still loads remote content when the following HTML 5 tags are present:
<video src="http://your.website.example.com/evil_tracker_bug"></video> <audio src="http://your.website.example.com/evil_tracker_bug"></audio>
As expected, it ignores img, iframe and link, but it doesn’t ignore those 2. I’m using the latest version of Apple Mail (Version 4.1 (1076)) on Snow Leopard. I have submitted this as a security bug report to Apple.
I’ve just tested this with an iPhone and the same bug exists there too. Oops.
I thought I’d give this another look to see if Apple did eventually get around to fixing the bug, and it looks like they have. I think the fix is described here where it says “CVE-2009-2841”. The bug still seems to exist on the iPhone though.