Vulnerability Development mailing list archives
RE: Email webbugs
From: Javier Palomares Lopez <Jpalomares () abasesores es>
Date: Mon, 27 Aug 2001 18:30:00 +0200
U have an option to avoid send a confirmation in: Tools => Options => Preferences tab => E-mail options => Tracking options This sequence in Outlook 2000 but in OE and in other versions is very similar. But this isn´t the real problem. A hacker with a webserver could watch if your account is active, just adding a small pic and watching when did you loaded it in his logs. Also, He could watch your IP, your Browser and/or email client, ... Finally, I suggest that for improve your neighbourhood security, use when it´s possible, plain text clients and send only plain text mails. Regards, Javier Palomares. -------------------------------------------------------------- Tenemos la opción de rechazar las confirmaciones en: Herramientas => Opciones => Pestaña de preferencias => Opciones de correo e. => Opciones de seguimiento. Esta secuencia es para Outlook 2000, pero para otras versiones y para el OE es muy parecido. Pero el problema de verdad no es ese. Un hacker con un webserver puede ver si tu cuenta está activa, simplemente añadiendo una imagen pequeña y viendolo después en los logs. Además de confirmar que tu cuenta está activa puede ver la fecha, IP, navegador, y/o cliente de correo, ... Por ultimo para mejorar la seguridad en vuestro entorno, sugiero que en lo posible, se usen clientes de texto plano y se manden mails solo en texto plano. Saludos. Javier Palomares. -----Mensaje original----- De: abuse [mailto:postmaster () getinfo org] Enviado el: lunes 27 de agosto de 2001 14:13 Para: Focus-MS CC: VULN-DEV@SECURITYFOCUS. COM; BUGTRAQ@SECURITYFOCUS. COM; win2ksecadvice () LISTSERV NTSECURITY NET Asunto: Email webbugs One of the things that has always bothered me about Outlook Express and Outlook is that they are susceptable to webbugs. Basically there are no options to block confirmation of your reading an email so any spammer can verify that your address is active as long as they can get you to just view an email. A lot of people have difficulty understanding exactly what this means so I set up a demonstration page at http://www.nthelp.com/OEtest/oe.htm in an attempt to raise awareness of this nonsense and get MS to do something about it. I don't know if other email programs like Eudora and Netscape are vulnerable to email webbugs so if anyone tests those please let me know the results. Anyway, I've made the test site available to the public now so if you want to check your email reader, feel free. Geo.
Current thread:
- Email webbugs abuse (Aug 27)
- Re: Email webbugs Peter Pekala (Aug 27)
- RE: Email webbugs Dom De Vitto (Aug 28)
- Re: Email webbugs Mariano Vassallo (Aug 28)
- Re: Email webbugs James Robbins (Aug 28)
- RE: Email webbugs Dom De Vitto (Aug 28)
- Re: Email webbugs Peter Pekala (Aug 27)
- Re: Email webbugs ezat_t (Aug 27)
- <Possible follow-ups>
- RE: Email webbugs Javier Palomares Lopez (Aug 27)
- Re: Email webbugs edgar . mendez (Aug 27)
- Re: Email webbugs John Hicks (Aug 31)
- RE: Email webbugs Hicks, John (Aug 31)