Paranoid or spam-averse users should steer clear of Apple's desktop or iPhone mail clients for a while, as mails can't be prevented from using HTML 5 tags for tracking. In common with the majority of email clients, Apple's can be configured not to load remote images embedded in messages, for privacy and spam prevention. But …
Those who are concerned about their privacy and want a bit more control over what their computers are sending to the outside world should check out Little Snitch:
It's an easy to use personal firewall that can be configured to allow or block access to any address on any port, by any application.
It will also announce any attempts made by any application or system service to connect to the outside, to give you a chance to allow it or deny it; hence the name.
M'self I use google direct from Safari
'cos the crappy email client don't thread. Funny how I seem to be the only person that finds this useless.
Mail does view by thread if you want it to.
You must be blind Threading has been there for ages.
I use Apple mail and Little Snitch is always banging on about this and that when HTML enabled emails are viewed, straight on the DENY button for the bloody lot!
I too protest at every update of Mail.app the sorry excuse it calls "Organize by Thread".
Is this the first use of HTML5 as an exploit vector?
Sounds like just an implementation glitch, but is this the first documented case of spammers/malware writers targeting aspects of HTML5 ?
Don't read html messages!
I use Messenger Pro on a RiscPC which allows me to work in plain text. Even html-only messages are stripped of mark-up, which means losing links that aren't visible. I've set Apple Mail to use plain text but that only works for composing messages. When reading and replying to messages it still uses html which is potentially dodgy.
Hi. This bug is more serious than the article implies. Knowing this, I can craft an email such that whenever it is read by an Apple Mail user or iPhone user, I will get a notification of the time and the IP address that they read it from. Completely transparently to them, even if they turn off images and read receipts! I know which of my regular contacts use these devices because it tells me in the x-mailer headers of the emails that they send me... Good job I'm not a stalker.
Also, I've just tried it and if the audio link is valid, then Apple Mail will even play the audio out loud automatically! The iPhone doesn't seem to play it though.
Might have to stop using Apple Mail then. I'd previously assumed that turning off an option actually.. y'know.. turned it off.
e-mail is text/plain
And if not then user's preferences must be respected by the MUA. Apple Mail is still a pale clone of Postmaster and way behind most other mail clients except if you think "templates" are important. And, why oh why, in Apple's new service oriented world does Mail have to start in order to send a calendar invitation? This should be configurable through an API.
Opera Mail rocks - fast full-text search by far.
What about webmail
Does this also effect people who use webmail through a html5 compatible browser?
If so you should update the article with your findings as its much wider in scope than the 5-10% of web users using those clients.
Re: What about webmail
That would be down to the individual webmail implementation. For example, it might work in hotmail, but not gmail. I severely doubt any of the major ones have this problem, but I bet people have tried it.
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- Spanish village called 'Kill the Jews' mulls rebranding exercise
- NASA finds first Earth-sized planet in a habitable zone around star
- New Facebook phone app allows you to stalk your mates
- Battle of the Linux clouds! Linode DOUBLES RAM to take on Digital Ocean