Cookies are Security Hole in HTML Email

Richard Smith just keeps uncovering security holes. Today it's the Email Cookie Leak. By reading mail, you unknowingly register your email address in someone's database, and accept their cookie. Next time you browse their site, or a site they have banner ads or other GIFs on, you are essentially broadcasting your email address while you surf. As Smith points out, just wait until banner-ad companies start taking advantage of this. I repeat the suggestion I made in October: browsers (and all clients that speak HTTP) should reject cookies not sent with the page.

HTML, not HTTP

[Hrunting]

I'm glad we live in a world where Slashdot's YRO keeps us vigilant against the supposedly harmful effects of Internet society. I mean, if you think about it, there are many more Internet technologies that can, when used improperly, cause security violations on your system.

In this case, browsers simply need to be setup to function as individual components. The web browser should not have access to the same mechanisms as an e-mail client. HTML e-mail is different from loading a web page and should be treated as such. Cookies are not a part of HTML; they are a part of HTTP! The browsers shouldn't confuse the two. This isn't a problem with the implementations of cookies, this is a problem with the implementation of HTML e-mail and the web browser.

And the idea that loading cookies from only that page is ludicrous. The whole idea is to be able to give an entire site access to information so that you can do things on different pages with similar information without having to repeatedly ask for that information. There's nothing in the HTTP specification that makes this harmful. Someone simply didn't implement the specification properly so now clients can share cookie files, leading to a possible hidden exchange of data between them.