Is Your Email Client Leaking Sensitive Information?

Lips with Finger in FrontIn following up with some interesting security services … I came across another great website on Reddit last week called Created by Mike Cardwell over the past year or so, the service performs 38 privacy checks “to test your email client for privacy leaks and security bugs.” In this post I plan to explain how the service works, some concerns I originally had, and some pics I took when testing the service. Later in the week I plan to post a chat I had with developer over email (with his permission of course).

To use just enter your email and hit enter. The site sends that address a message containing a number of tricks … the typical ones marketers generally use to track email campaigns as well as some more nefarious techniques. Your spam filter may detect some of these baddies so you might need to add * to your whitelist. Regardless after you receive the message, simply open it and see if the results page lights up. Hopefully your email client isn’t set to load remote images by default. Mike recommends allowing remote images as a second step to watch what your email client did block by default. “If merely reading the message without selecting to load remote images triggers any of the tests, then either your email client has a “privacy bug,” or it is not configured for optimal privacy.”

I was a little worried at first as this site could be an email address collection spam feeder mechanism. But after reading through the site thoroughly and having a conversation with the developer over Reddit, it looks like he has nothing but good intentions. Additionally, the privacy page seems genuine … no lawyer-ry talk … just Mike explaining it like it is. In order to prevent abuse he does store some information for up to 10 days. The data doesn’t seem to be anything too serious though … just dates, times, IPs, user agents, and email address hashes (not your real one). So even if the application or server gets hacked, I still don’t see much of a problem.

Best yet … Mike continues on saying that all the code is open source and you can find it in his Github account. I haven’t looked through it personally but @hushedfeet mentioned that he skimmed it and it looks like it does what it intends to. He did mention that of course there are no promises what the service does on the backend. Additionally, it’s still pretty popular on Reddit and no one has complained there yet. The privacy page closes by saying that he promises not to share your address with anyone and will not send any further emails besides the test one. I tested the site a few days ago and haven’t received any spam yet … so that’s a good sign. 😉

Here’s a quick run-through I did with the service. As noted above the front page is pretty simple. Just enter your email address and hit enter.

Here is the initial result page before opening up any dynamic HTML content in my email client.

Next, I let the dynamic HTML content fly and nine of the ovals turned red. You can click on each of the ovals to get a more detailed description.

Now I allow it to show images/remote content and four more ovals turned red. Since I was using a web-based email client, Firefox popped up a message asking to store data on my computer for offline use. I allowed it but the results remained the same. There was a also submit query window that appeared. I let it go but again nothing changed.

Finally, I opened the same message in the default mail app on my iPhone and things really started to light up. I did notice that on the iPhone it didn’t display any text. It was just a blank message.

And for those that are curious, here is the original email after allowing dynamic HTML content and remote images.

Overall, seems like a great service to verify if your email client leaks potentially sensitive information. If it does, Mike recommends checking to see if your privacy settings are set to their full extent. Assuming your configs are locked down, you may want to contact the developer of the client to see if they are able to fix it. And for those email client developers out there, this service looks like a perfect fit to include in your testing process. You can find out more information about this service by heading over to

Update 8/12/12: For manually configuring Thunderbird to restrict some of these privacy leaks, check out this “Hiding in Plain Sight” post from Dave Monnier. There’s also instructions for viewing leaky data from your side.


Do you know of any other cool privacy services out there? Let us know in the comments below. Today’s post pic is from See ya!

11 comments for “Is Your Email Client Leaking Sensitive Information?

  1. May 7, 2012 at 9:09 am

    #NoVABlogger Is Your Email Client Leaking Sensitive Information?

  2. May 9, 2012 at 9:04 am

    Is Your Email Client Leaking Sensitive Information? #privacy #security via @grecs

  3. July 2, 2012 at 10:54 am

    Best Of: Is Your Email Client Leaking Sensitive Information?

  4. August 11, 2012 at 10:01 am

    Re prev tweet .. thr’s also EmailPrivacyTester that we previously wrote abt.

  5. August 11, 2012 at 10:49 am

    @Shpantzer @teamcymru There’s also EmailPrivacyTester that we previously wrote abt.

  6. August 13, 2012 at 7:01 am

    “@novainfosec: Best Of: Is Your Email Client Leaking Sensitive Information?” < Nice. Tested your emailer lately?

  7. September 20, 2012 at 2:57 am

    Best Of: Is Your Email Client Leaking Sensitive Information?

  8. November 12, 2012 at 9:17 pm

    Best Of: Is Your Email Client Leaking Sensitive Information?

  9. April 21, 2013 at 11:33 pm

    Best Of: Is Your Email Client Leaking Sensitive Information?

  10. February 20, 2014 at 10:38 pm

    Best Of: Is Your Email Client Leaking Sensitive Information?

  11. March 2, 2014 at 10:46 am

    Best Of: Is Your Email Client Leaking Sensitive Information?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.