Bug ID: 390452
           Summary: HTML Backchannel in Trojitá Mail Client: DNS
           Product: trojita
           Version: unspecified
          Platform: Other
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: Core
  Target Milestone: ---

Created attachment 110652
HTML Backchannel in Trojitá Mail Client: DNS Prefetching

Dear Trojitá Devs,

In the scope of academic research within the efail project, in cooperation with
Ruhr-University Bochum and FH Münster, Germany we systematically analyzed
Trojitá for `web bugs' and other backchannels which have an impact on the
user's privacy. The results are as follows.

*** Introduction ***

It is well known that spammers abuse `web bugs' -- 1x1 pixel images in HTML
emails -- to track if their mails to a certain address are actually read. To
respect the privacy of their customers most email clients, by default, block
external content. However, we found a bypass for remote content blocking in

*** The Impact ***

The issue allows the sender of an email to leak information such as:

- if and when the mail has been read
- the number of users on a mailing list

*** The Bypass ***

The following HTML email triggers a DNS request to the DNS server responsible
for when the email is opened in Trojitá (without any
user interaction required):

<meta http-equiv="x-dns-prefetch-control" content="on">
<a href="";></a>

Note that it is easy to set up a DNS server controlled by the spammer
responsible for her own domain,, and all its subdomains.


You are receiving this mail because:
You are watching all bug changes.

Reply via email to