[kmail2] [Bug 394554] New: Regression: kMail 5.8.1 Information Leak: kMail loads external references in HTML mails without asking

Gunter Ohrner bugzilla_noreply at kde.org
Tue May 22 10:12:07 BST 2018


https://bugs.kde.org/show_bug.cgi?id=394554

            Bug ID: 394554
           Summary: Regression: kMail 5.8.1 Information Leak: kMail loads
                    external references in HTML mails without asking
           Product: kmail2
           Version: 5.8.0
          Platform: Neon Packages
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: UI
          Assignee: kdepim-bugs at kde.org
          Reporter: kdebugs at CustomCDROM.de
  Target Milestone: ---

kMail 5.8.1 seems to load external references in HTML emails without asking,
possibly disclosing to a third party (company / spammer / scammer) that the
mail has been displayed.

I configured kMail to prefer plain text messages and not to load any external
references. (The current Efail debate shows the validity of those measures.)

After clicking "activate formatted HTML display", older kMail versions (until
recently) would roughly format the message but display a second question "load
external references" which had to be confirmed explicitly.

If I click "activate formatted HTML display" in kMail 5.8.1, all external
images for example seem to be loaded immediately, possibly disclosing
information about validity / reachability of my email address to adverse third
parties.


Expected behaviour: If "load external references" is unchecked in the options,
no external references (CSS styles, images, anything else) is loaded until I
explicitly confirm that I actually want to do so.

It's important that "render HTML" and "load external references" is split into
two separate steps, as lots of HTML mails do not have any proper plain text
content embedded, so I sometimes have to resort to the renderen HTML contents
to even decide if the mail is legit (or I want to trust it fully) or not. This
gets close to impossible if activating HTML rendering will automatically load
all stuff it references from the internet, including activating counter pixels
or submitting tracking ID information by specifically crafted HTTP GET
requests.

Additionally, externally referenced file types may be loaded which I really do
not want to be downloaded like PDF or even some script or executable files.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the Kdepim-bugs mailing list