Apple Mail and its security.
March 31, 2007 on 10:41 am | In Apple, SecurityApple’s Mail client, aptly named Mail, is pushing closer towards more HTML email content in every major release of OS X. HTML email is a bit of a cinch, as a lot of people use cleartext clients (I set my Gmail to it) but most importantly, it’s a security issue. This wouldn’t be the Cocoia blog if we investigated what risks could go with Apple Mail’s HTML email facility.
First of all, a bit of background; Safari, Apple’s browser, uses the Webkit rendering engine. Webkit’s seen it’s share of exploits, as a any HTML rendering facility has. Apple Mail has an implementation of Webkit to render it’s HTML content. This is nicely illustrated when you go to a page in Safari. From there, you can easily make the page into an email (something I did for my mass-mailing of beta invites in HTML format).
So, what could ever go wrong? First and foremost, a major issue that isn’t yet solved in any email client: Spam.
Any spam email you read and embeds images or other web-based content with an external link, can be used to track your IP address and to see if you read your email. We all already know the links on the bottom of spam that ‘allows you to no longer recieve emails from this address’. It’s a great way to determine if someone reads the spam. The same goes for HTML email. For this reason, Gmail doesn’t load images automatically. EDIT; Mark Rowe (from the Webkit team) has commented that Mail doesn’t do this as well. Kudo’s, although I have found that all users around me have the setting in the ‘Viewing’ preferences, ‘Display images’, enabled.
XSS in Javascript can do some nasty stuff. I am a fanatic reader of the great ha.ckers security blog, and it often has great in-depth articles about the latest disclosed problems with Cross-Site-Scripting. Although there is very little on the blog about Webkit, some XSS is actually cross-platform. XSS could be brought to you with HTML or embedded content like images and Javascript. EDIT; Mark pointed out that Javascript doesn’t work in content. Avenues for HTML attacks aren’t transparent to me, and I hope Mark can give me more insight on this.
Quicktime exploits are common. Webkit is integrated with Quicktime, allowing for inline rendering of video’s and audio files. Quicktime is really a piece of software that gets patched with every minor update of OS X. Over this attack vector, one could easily try a mass-attack. Remember that the email address itself doesn’t even need to be valid; only the attached content that you will be executing. EDIT; (Mark pointed out that Quicktime doesn’t work embedded, but it does in attachments.)
Only these three major issues listed, it already shows the risks you are taking by using HTML email on your Mac, or any other OS. With Windows, it’s, of course, a lot more risky, but I really don’t deal with Windows. I suggest anyone to closely scrutinize his own needs to see if you really, really need HTML email, and if you do, only open HTML email from a trusted and verified source.
4 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Syndicate
Archive
- July 2008 (2)
- June 2008 (3)
- April 2008 (8)
- March 2008 (9)
- February 2008 (14)
- January 2008 (12)
- December 2007 (7)
- November 2007 (33)
- October 2007 (25)
- September 2007 (8)
- August 2007 (9)
- July 2007 (10)
- June 2007 (27)
- May 2007 (35)
- April 2007 (36)
- March 2007 (38)
Categories
- Announcement (46)
- Apple (47)
- Cocoa (5)
- CocoiaCast (1)
- Code (13)
- Commercial Work (17)
- Design (92)
- EVE Online (1)
- Fortitude (1)
- Graphics (78)
- Hacking (6)
- How-To (8)
- Icon Design (47)
- IconResource (4)
- Interface Design (21)
- iPhone (9)
- iSight Expert (7)
- Latitude (1)
- News (38)
- Open Source (11)
- OpenGL (8)
- Personal Work (46)
- Popular (9)
- Praetorian (7)
- Ramblings (51)
- Security (19)
- Software Releases (8)
- Timezones (12)
- Typography (9)
- Uncategorized (12)
- War on Bad Design (6)
I appreciate your anaylsis on the security problems HTML mail can cause, but apart from identifying someone through their email address, how is it more risky then standard HTML/XHTML over the web?
I’d say that any problems it causes lie with the vulnerabilities of HTML itself (given it was hardly designed with security in mind) rather then with HTML mail clients.
Comment by Christopher — April 1, 2007 #
If you’ve ever used Mail it should be pretty clear that all three of your points are completely moot. WebKit in Mail does not load external images unless you explicitly click a “Load Images” button that it presents. It disables JavaScript on the embedded web view so arbitrary code is not executed. It also disables plugins. None of the “major issues” that you point out are legitimate. The only real risk is that of bugs within WebKit or Mail itself.
Comment by Mark Rowe — April 1, 2007 #
Christopher; although the problems identified do lie in HTML and it’s purpose, it’s the idea of HTML in the email medium that makes it even more risky; namely, allowing HTML files to be sent anonymously and over a whole new delivery path.
Mark, first of all, thanks for reading. I appreciate your work a lot. How’s the weather round the other side of the globe?
I have mixed up a few things in my entry.
Although I have found that indeed, plugin support is limited, and prior permission is asked to render inline elements that are externally linked, many people use the ‘Display remote images’ (under the Viewing preferences) option as well. Gmail has per-domain picking, and I haven’t found this in Apple Mail. Although the rendering of plugin content doesn’t occur when processing resources that aren’t attached, it does work out in another phase of email - re-embedded in a reply, for example, or simply attachements. I’ve found that it’s often not the programs (which I use and love) but the people using it making big faults.
Thanks for pointing out some inaccuracies, I’ll revise the post somewhat as it’s valid critique.
Comment by sebastiaan — April 1, 2007 #
Use “its” for possessive for fuck’s sake.
Comment by John — April 2, 2007 #