In a previous blog post I wrote about how easy it is to track Evolution Mail users due to a bug in DNS prefetching. This allows a sender of an email to get the open time and IP address of the receivers DNS resolver before clicking Load Remote Content
In the same blog post I referred to another bug that somebody else reported over a year ago related to link rel=preconnect, which is even worse, giving the sender of an email the IP address of the end user instead of just their DNS resolver.
I have now added a new test to the Email Privacy Tester for this problem.
This is a critical privacy issue, but the project has washed their hands of it after submitting a bug report to another project. They wont even add a “Don’t rely on for privacy. More info” notice next to the feature in the UI, as apparently the bug is not their problem.
According to the Evolution Mail Project, my previous blog post:
- Smeared the project
- Irritated their developers
- Showed my entitled attitude
- Caused drama
I say that this is a critical security bug, and it has been handled terribly by the project. I say that they have failed the users of their software, who are entitled to have their privacy respected, and they should spend more time fixing their software and culture instead of gaslighting people who report legitimately bad security issues that they are responsible for.
In what field of software engineering is it acceptable to see a security bug in a library you’ve chosen to use, report it to the developers of that library, and then sit on your hands for years doing nothing else? They have several options to tackle this problem, and they deny them all with the laughable excuse that it’s not the “right place” to fix it. It is flat out unacceptable how long this has been a known issue to them.
They locked the bug thread because I hurt their feelings.
Want to leave a tip?
You can follow this Blog using RSS or Mastodon. To read more, visit my blog index.