Security Vulnerability of HTML Emails

This is a newly discovered email vulnerability:

The email your manager received and forwarded to you was something completely innocent, such as a potential customer asking a few questions. All that email was supposed to achieve was being forwarded to you. However, the moment the email appeared in your inbox, it changed. The innocent pretext disappeared and the real phishing email became visible. A phishing email you had to trust because you knew the sender and they even confirmed that they had forwarded it to you.

This attack is possible because most email clients allow CSS to be used to style HTML emails. When an email is forwarded, the position of the original email in the DOM usually changes, allowing for CSS rules to be selectively applied only when an email has been forwarded.

An attacker can use this to include elements in the email that appear or disappear depending on the context in which the email is viewed. Because they are usually invisible, only appear in certain circumstances, and can be used for all sorts of mischief, I’ll refer to these elements as kobold letters, after the elusive sprites of mythology.

I can certainly imagine the possibilities.

Tags: , ,

Posted on April 8, 2024 at 7:03 AM17 Comments

Comments

P Cause April 8, 2024 11:37 AM

I’ve been reading my emails in plain text forever. I’ve talked to CTOs of leading cyber security companies and asked them if they read in HTML. ALL said that they did, including those who were offensive hackers in a past life. When I point out the risks, they all shrug, agree they are vulnerable, but … Just an example of convenience / user experience winning the day even with the most knowledgeable cyber folks.

mark April 8, 2024 1:14 PM

Newly discovered? As opposed to all the other vulnerabilities in HTML email? Here, click our link to our site (hidden by html, mycon.gotcha.scam).

I have alwas read my email as plain text. The point is what you have to say, not how fairy dust pretty it is.

lurker April 8, 2024 1:37 PM

There’s a difference between “Forward” and “Redirect”, Forward wraps the letter in a new envelope to show it has been throught the forwarder’s hands. Redirect is supposed to send the letter on like a mail relay agent, and the recipient would have to examine and understand the headers to know it had been seen by other eyes. Is this a security risk? It seems not enough people knew the difference to use each feature in its proper context, so many modern email clients don’t do Redirect.

HTML email is where the rot set in that now allows attachments to SMS.

Ralph Haygood April 8, 2024 4:46 PM

The insecurities of HTML email are a major reason I still use (gasp) Pine (technically Alpine). My friends are usually shocked to learn that I use such a “dinosaur”, but (1) it works fine and (2) my considered opinion is that HTML email is a bad idea. (I open URLs and attachments in isolated and disposable virtual machines.)

Ironically, in view of this story, one of the reasons I as a web-application developer dislike HTML email is that although email clients do support CSS to some degree, that support is uneven and generally inferior to the support in real browsers. (For example, many don’t support nth-child selectors.) So getting HTML email to work properly in most clients is painful.

xyzzy April 8, 2024 5:34 PM

Thunderbird -> View -> Message Body As -> Plain Text

If nothing else it kills tracking pixels. And whatever new “something else” comes along.

Jonathan Wilson April 8, 2024 6:21 PM

HTML email is one of those technologies where (IMO) the world would be a better place if it had never been invented.

Clive Robinson April 8, 2024 6:29 PM

@ Bruce, ALL,

“I can certainly imagine the possibilities.”

You could have put the words “some of” in there 😉

OK this is not Xmas and it’s a little after Easter, but… I think we might say,

“This is an Easter Egg that will keep on giving”

Because whilst it won’t have “unlimited mileage” I suspect it will get driven places we’ve yet to imagine let alone see…

Clive Robinson April 8, 2024 6:58 PM

@ ALL,

Time for my usual comment,

“And people wonder why I don’t do EMail”.

Importantly though, have people actually thought about the “how” of “HTML” getting “ram rodded” into EMail?

Well along the road map you will find Micro$haft… It was part of their “the desktop is a browser” idea, that was dreamed up to defend against prosecution for forcing IE down everyone’s throat.

Their argument was that if they moved the HTML engine into the desktop they could argue IE was “integral to Windows” thus their war against Netscape was not what it actually was but a “delusion” in certain peoples minds…

Oh they also did the usual “embrace and extend” nonsense to further force IE onto people[1]…

Just a bit of history people should remember, especially the Linux folk, now M$ has decided to “embrace” it. Just don’t say you were not warned…

[1] As Terry Pratchett used to joke “The leopard does not change his shorts”,

https://www.goodreads.com/quotes/10833785-hah-the-leopard-does-not-change-his-shorts-my-girl

It was suspected though Terry never confirmed it when I asked over a drink that it was a side reference to Douglas Adams “Hitch hikers” and the Planning Dept Display area,

https://www.goodreads.com/quotes/40705-but-the-plans-were-on-display-on-display-i-eventually

After all why else would a leopard be in a disused toilet except to change his shorts 😉

Winter April 8, 2024 8:36 PM

@Clive

Importantly though, have people actually thought about the “how” of “HTML” getting “ram rodded” into EMail?

Marketing? Because it could?

I seem to remember that MS tried to get people to email word documents as the email body and vice versa. HTML ended up to be the obvious way to get the formating to survive the limitations of the smtp email infrastructure. The next step of forcing everybody to use MSword to email somehow didn’t work out.

Btw, the dangers of using HTML, CSS, and JavaScript in email was already known in the 1990’s.

Winter April 8, 2024 8:41 PM

@Clive

Just a bit of history people should remember, especially the Linux folk, now M$ has decided to “embrace” it. Just don’t say you were not warned…

More like: If you cannot beat them, join them. The same as they did with CDs in computers, the internet, and JavaScript.

44 52 4D CO+2 April 8, 2024 9:04 PM

Btw, the dangers of using HTML, CSS, and JavaScript in email was already known in the 1990’s.

nudge nudge – wink wink

Clive Robinson April 9, 2024 10:11 AM

@ Winter,

Re : leaders in what?

“More like: If you cannot beat them, join them.”

Microsoft have never been original, the “driver for CDs” was stolen by MS from work done by a company called “SilverPlatter”.

As many know Microsoft just took the BSD networking code and turned the slashes around and made one or two trivial modifications. It’s why the original “Teardrop attack” took down nearly every OS in use.

As for “javascript” lets not go there the path of theft is wide and long on that one.

Then there was Java…

I could go on, the list is long… but the upshot for Microsoft can be summed up by a quote from a SciFi sitcom,

“Originality is what you ain’t got”

But also the old saw of,

“If Microsoft is the answer, then you are asking the wrong question!”

Whilst the industry thinks Gary Kildall might have later regretted flying his plane rather than talking to some IBM “two bits” (the story is not really true[1]). The rest of the world has regretted what IBM did thousands if not millions of times a day ever since…

[1] You can see an overview of what happened in,

https://www.forbes.com/forbes/1997/0707/6001336a.html

You will note that Microsoft got hit legally as it repeatedly did over the years… The thing is Billy “bob in your chair like a Weeble Toy” figured the best way was lie cheat steal, the spin and delay in court, a policy that still continues to this day.

echo April 9, 2024 6:21 PM

As per earlier recommendation it’s nothing but text email for me.

All comms protocols should be an open standard with open source reference implementation. Also corporate silos wrapping standards behind proprietary junk is tiresome. I don’t want to run a dozen applications of varying degrees of bloat and questionable provenance. Just knock it off.

And encryption as a universal standard please because in all honesty the threat to governance by not having encryption is multiple magnitudes worse than a random bomber. In fact I’m beginning to suspect this ding dong over encryption disguises other methods are probably the primary tool.

Bad domestic and foreign and development policy has caused more problems than encryption by default ever will unless someone can show me a well reasoned essay arguing different. Everything else is a standards and policing problem.

Tami April 12, 2024 6:00 AM

This reminds of good old “X-Message-Flag”, i am still using it and once a while i get a funny conversation, as i have set it to

X-Message-Flag: If you can read this your system is insecure

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.