HN
Today

Roundcube Webmail: SVG feImage bypasses image blocking to track email opens

Roundcube Webmail had a sneaky vulnerability that allowed attackers to bypass the "Block remote images" setting, enabling email open tracking even when users thought they were protected. The flaw originated from its HTML sanitizer, which misclassified the SVG <feImage href> attribute as a benign link rather than an image source. This detailed technical write-up is popular on HN for highlighting a clever, subtle sanitizer bypass with significant privacy implications.

2
Score
0
Comments
#2
Highest Rank
9h
on Front Page
First Seen
Feb 8, 6:00 PM
Last Seen
Feb 9, 2:00 AM
Rank Over Time
9233568711

The Lowdown

A recent disclosure by nullcathedral detailed a subtle but impactful security vulnerability in Roundcube Webmail. The flaw allowed malicious actors to bypass the "Block remote images" security feature, enabling the tracking of email opens and user data without the user's explicit consent.

  • The vulnerability, affecting Roundcube Webmail versions below 1.5.13 and 1.6.13, revolved around its rcube_washtml HTML sanitizer.
  • Specifically, the sanitizer failed to correctly identify the href attribute within an SVG <feImage> element as an image source.
  • Instead of being processed by is_image_attribute() (which blocks external URLs), <feImage href> was routed through wash_link(), which permits HTTP/HTTPS URLs.
  • This allowed an attacker to embed an invisible SVG with a remote feImage link, forcing the client to load it despite security settings.
  • The impact included confirming email opens, logging IP addresses, and enabling browser fingerprinting, directly compromising user privacy.
  • The fix involved modifying the is_image_attribute() function to explicitly include feimage alongside image and use tags when checking for href attributes.
  • Users are strongly advised to update their Roundcube installations to versions 1.5.13 or 1.6.13 to patch this vulnerability.

This incident serves as a pertinent reminder of the intricate challenges in building robust HTML sanitizers and the constant need to account for every conceivable way external resources can be loaded, particularly in applications handling sensitive user communications.