Email providers like Gmail,yahoo,hotmail do not load images in the email directly. These services require you to allow the images to be laoded. Why do they do this? Is it to prevent XSS/CSRF?
+1
A:
Because this allows the (potentially hostile sender's) server to know the email was received.
Pavel Radzivilovsky
2010-08-31 09:04:55
i don't see any harm in this? any vulnerabilities in this?
RJ
2010-08-31 09:40:18
Define 'harm'. For example, it would let a spammer know which addresses are active and which are not, to spam more efficiently. It would let them profile you according to "which emails you are likely to open", etc.
Pavel Radzivilovsky
2010-08-31 10:34:19
got your point now...thnks.....
RJ
2010-08-31 10:40:00
A:
A lot of spam mails use images to identify valid mail addresses, by embedding malicious images in content. For example:
<img src="http://example.com/[email protected]" />
Vivien Barousse
2010-08-31 09:06:27
+4
A:
Two reasons - Privacy and CSRF.
Privacy
It allows the sender to figure out whether I have opened the email or not, without my knowledge. Spammers can figure out whether their "marketing" campaigns have had any impact or not.
CSRF
For CSRF to work, the victim has to click a link or visit the attackers page. If email clients were to display images automatically, just opening an email would be sufficient to launch a CSRF attack.
For example, lets assume paypal had a csrf vulnerability. Also assume that the user was logged on to paypal. Now, an attacker sends the user an email with <img src="http://paypal.com/transferfunds?fromAccount=victim&toAccount=attacker"/>. As soon as the user opens the email, funds would get transferred.
sri
2010-08-31 10:47:56