# Apple Mail Privacy Hole

If you send an HTML email to somebody and include certain HTML tags which load
remote content from your web server, you can tell if they've read the message by
checking your web logs. This is a privacy hole. Email clients can be configured
to **not** automatically load remote content, which is why you sometimes see a
button in your email client saying something like "load images." In fact,
because it's a serious hole in privacy, a lot of email clients don't load remote
content by default. Apple Mail **does** load remote content by default for
reasons I can't imagine. However, that is not the problem I have found. The
problem I have found, is that even if you uncheck the "Display remote images in
HTML messages" option in the Apple Mail preferences, it **still** loads remote
content when the following HTML 5 tags are present:

```html
<video src="http://your.website.example.com/evil_tracker_bug"></video>
<audio src="http://your.website.example.com/evil_tracker_bug"></audio>
```

As expected, it ignores img, iframe and link, but it **doesn't** ignore those 2.
I'm using the latest version of Apple Mail (Version 4.1 (1076)) on Snow Leopard.
I have submitted this as a security bug report to Apple.

**UPDATE:**

I've just tested this with an iPhone and the same bug exists there too. Oops.

**UPDATE 2010-Feb-05:**

I thought I'd give this another look to see if Apple did eventually get around
to fixing the bug, and it looks like they have. I think the fix is described
[here](https://support.apple.com/kb/HT3949) where it says "CVE-2009-2841". The
bug still seems to exist on the iPhone though.