Is Your Email Client Leaking Sensitive Information?

May 7, 2012
By

Post to Twitter Post to Facebook Post to Reddit

Lips with Finger in FrontIn following up with some interesting security services … I came across another great website on Reddit last week called EmailPrivacyTester.com. Created by Mike Cardwell over the past year or so, the service performs 38 privacy checks “to test your email client for privacy leaks and security bugs.” In this post I plan to explain how the service works, some concerns I originally had, and some pics I took when testing the service. Later in the week I plan to post a chat I had with developer over email (with his permission of course).

(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under Infosec Blogs/Podcasts. -@grecs)

To use EmailPrivacyTester.com just enter your email and hit enter. The site sends that address a message containing a number of tricks … the typical ones marketers generally use to track email campaigns as well as some more nefarious techniques. Your spam filter may detect some of these baddies so you might need to add *@emailprivacytester.com to your whitelist. Regardless after you receive the message, simply open it and see if the results page lights up. Hopefully your email client isn’t set to load remote images by default. Mike recommends allowing remote images as a second step to watch what your email client did block by default. “If merely reading the message without selecting to load remote images triggers any of the tests, then either your email client has a “privacy bug,” or it is not configured for optimal privacy.”

I was a little worried at first as this site could be an email address collection spam feeder mechanism. But after reading through the site thoroughly and having a conversation with the developer over Reddit, it looks like he has nothing but good intentions. Additionally, the privacy page seems genuine … no lawyer-ry talk … just Mike explaining it like it is. In order to prevent abuse he does store some information for up to 10 days. The data doesn’t seem to be anything too serious though … just dates, times, IPs, user agents, and email address hashes (not your real one). So even if the EmailPrivacyTester.com application or server gets hacked, I still don’t see much of a problem.

Best yet … Mike continues on saying that all the code is open source and you can find it in his Github account. I haven’t looked through it personally but @hushedfeet mentioned that he skimmed it and it looks like it does what it intends to. He did mention that of course there are no promises what the service does on the backend. Additionally, it’s still pretty popular on Reddit and no one has complained there yet. The privacy page closes by saying that he promises not to share your address with anyone and will not send any further emails besides the test one. I tested the site a few days ago and haven’t received any spam yet … so that’s a good sign. ;)

Here’s a quick run-through I did with the service. As noted above the front page is pretty simple. Just enter your email address and hit enter.

Here is the initial result page before opening up any dynamic HTML content in my email client.

Next, I let the dynamic HTML content fly and nine of the ovals turned red. You can click on each of the ovals to get a more detailed description.

Now I allow it to show images/remote content and four more ovals turned red. Since I was using a web-based email client, Firefox popped up a message asking to store data on my computer for offline use. I allowed it but the results remained the same. There was a also submit query window that appeared. I let it go but again nothing changed.

Finally, I opened the same message in the default mail app on my iPhone and things really started to light up. I did notice that on the iPhone it didn’t display any text. It was just a blank message.

And for those that are curious, here is the original email after allowing dynamic HTML content and remote images.

Overall, EmailPrivacyTester.com seems like a great service to verify if your email client leaks potentially sensitive information. If it does, Mike recommends checking to see if your privacy settings are set to their full extent. Assuming your configs are locked down, you may want to contact the developer of the client to see if they are able to fix it. And for those email client developers out there, this service looks like a perfect fit to include in your testing process. You can find out more information about this service by heading over to EmailPrivacyTester.com.

Update 8/12/12: For manually configuring Thunderbird to restrict some of these privacy leaks, check out this “Hiding in Plain Sight” post from Dave Monnier. There’s also instructions for viewing leaky data from your side.

#####

Do you know of any other cool privacy services out there? Let us know in the comments below. Today’s post pic is from Any.biz. See ya!

Tags: , ,

11 Responses to Is Your Email Client Leaking Sensitive Information?

  1. (@Nathiet) (@Nathiet) on May 7, 2012 at 9:09 am

    #NoVABlogger Is Your Email Client Leaking Sensitive Information? http://t.co/IpaarQy6

  2. taylor banks (@taylorbanks) on May 9, 2012 at 9:04 am

    Is Your Email Client Leaking Sensitive Information? #privacy #security http://t.co/OC3iyzwD via @grecs

  3. (@novainfosec) (@novainfosec) on July 2, 2012 at 10:54 am

    Best Of: Is Your Email Client Leaking Sensitive Information? http://t.co/HRlP2Wnb

  4. (@grecs) (@grecs) on August 11, 2012 at 10:01 am

    Re prev tweet .. thr’s also EmailPrivacyTester that we previously wrote abt. http://t.co/79DGl0Fo

  5. (@grecs) (@grecs) on August 11, 2012 at 10:49 am

    @Shpantzer @teamcymru There’s also EmailPrivacyTester that we previously wrote abt. http://t.co/79DGl0Fo

  6. krvw (@krvw) on August 13, 2012 at 7:01 am

    “@novainfosec: Best Of: Is Your Email Client Leaking Sensitive Information? http://t.co/yyTRiZfz” < Nice. Tested your emailer lately?

  7. (@novainfosec) (@novainfosec) on September 20, 2012 at 2:57 am

    Best Of: Is Your Email Client Leaking Sensitive Information? http://t.co/NqqtF3Wf

  8. novainfosec (@novainfosec) on November 12, 2012 at 9:17 pm

    Best Of: Is Your Email Client Leaking Sensitive Information? http://t.co/oX7j1lLa

  9. novainfosec (@novainfosec) on April 21, 2013 at 11:33 pm

    Best Of: Is Your Email Client Leaking Sensitive Information? http://t.co/3HoNazN3NS

  10. novainfosec (@novainfosec) on February 20, 2014 at 10:38 pm

    Best Of: Is Your Email Client Leaking Sensitive Information? http://t.co/FmnE4GhxhQ

  11. novainfosec (@novainfosec) on March 2, 2014 at 10:46 am

    Best Of: Is Your Email Client Leaking Sensitive Information? http://t.co/V796VMFWxJ

Leave a Reply

Your email address will not be published. Required fields are marked *


About Us

Founded in 2008, NoVA Infosec is dedicated to the community of Metro DC-based security professionals and whitehat hackers involved in the government and other regulated verticals. Find out more on our About Us page.