Over the past few months I’ve discovered several flaws in various email clients, which allow the sender of an email to track information about the recipient of an email. Information such as their location and what time they read the email. These are serious bugs, and they exist in widely used email client software. I’ve discovered problems in Apple Mail, the iPhone, Android Mail, K-9, Thunderbird 3, Outlook 2007 and a general bug involving webmail clients and DNS pre-fetching.
That I know of, my research has so far lead to fixes for Apple Mail, Thunderbird 3, IMP, Roundcube and K-9.
I have built an online tool for testing whether your email client is susceptible to any of these attacks.
Enter your email address, and it will send you a specially formatted email which attempts to “callback” to my server. The webpage where you enter the email address will then display the results for you as they come in.
I suspect there are similar problems in many email and webmail clients that I have not discovered yet, but that this tool will uncover. If you find any, please let me know by commenting on this blog post, and please submit bug reports to the developers of the software.
You can access the application here. Please read the text on the page before submitting your email address as it may help prevent confusion about what is happening on the results page.
A number of flaws were found in OpenWebmail by somebody using this application. I reported them on their dev mailing list and they have now been fixed. Somebody else found a leak in Microsoft Entourage using this application and I bug reported it a few weeks ago. Still waiting for feedback on that one. I’m also still waiting for feedback on the Outlook 2007 one. The open source projects have been considerably faster to respond than Microsoft and Apple.