
Show HN: Super Mail Forward, an HTML email that evolves as you forward it - hteumeuleu
https://medium.com/@hteumeuleu/super-mail-forward-an-email-that-evolves-as-you-forward-it-84466596f30d
======
ldom22
This is great for pranks: you send a serious looking email to someone, and
then they forward it to someone else thinking they sent some chart or whatever
but the next receiver instead sees another picture of your choosing

~~~
myztic
Or a new way to distribute spam? ;)

~~~
semi-extrinsic
Or spearphishing. Send a secretary something that looks like a nice business
proposal, then when she forwards it to her boss it's a link to some XSS
attack.

~~~
zarq
Should be the other way around. You forward an email that's "obviously" spam,
and then the abuse guys go "what do you mean, this is a regular project status
update!"

~~~
ldom22
you can use it to send "for your eyes only" stuff.

example: send an image to Mary and tell her not to send it to anyone else. She
inevitably sends it to someone else, but the image magically changes to
another image that says a message, maybe it says "DAMN IT MARY, I SAID DON'T
SEND IT TO ANYONE ELSE!"

~~~
cmdrfred
I'd replace it with "Mary's STD Test results" so the person who receives it
will be very confused.

------
shimon
TL;DR: A series of markup and styling hacks that exploit HTML interpretation
quirks of various web email services can be hacked to intentionally vary
message appearance between services. Coupled with forwarding, which further
transforms the email using service-specific quirks, you can make a game where
different paths of forwarding across services trigger different appearances.

Fun hack! I feel like there should be some clever practical applications but
I'm drawing a blank.

~~~
lassejansen
One great application of this would be to hide the unsubscribe link if the
email is forwarded.

~~~
anonbanker
no anti-pattern is ever "great".

~~~
AdamTReineke
I wouldn't call that an anti-pattern, it prevents people you forwarded the
mail to from easily unsubscribing you from the mailing list. They aren't
subscribed, they shouldn't be able to unsubscribe.

------
yoavm
More than anything, this thing shows the sad situation of CSS support in
different email clients.

~~~
Latty
Sad situation? I'd say it's limited for security and user comfort. I can't say
I've ever felt HTML emails beyond basic text formatting and links improved my
life.

~~~
yoavm
How is Gmail not supporting 'box-shadow' or ignoring 'display: none;' but
allowing 'display: none !important;' a security feature? Not supporting
classes? Why does AOL messes with inline URLs (so that they stop working)?

This article is full of examples that are obviously bugs. And worst - it's all
neither documented nor standardised.

~~~
JoBrad
And then there's Outlook. My quality of life is so much better since I left
the email marketing industry.

------
whafro
One challenge many services face when sending emails is that you often want to
log a user into the account if they've clicked in from an email – after all,
if they have access to the email account, they can usually reset the password.

But the rub is always the propensity for users to forward on those same
emails. If they do, then the second recipient gets control of the first
recipient's account, and that's rarely the intention of the first
recipient/forwarder.

I haven't had a chance to dive in enough, but I wonder if a technique like
this could effectively swap tokenized links with generic links (even if you're
just swapping 'display' rules) when a message is forwarded. You might have to
use different message style/markup output depending on which service you're
sending the message to, but my read of this article is that it's not a
ridiculous thought.

------
mschuster91
Ironically, Lotus Notes Webmail is the only client I have seen so far that
actually uses iframes to display HTML emails. If webmails just could embed the
HTML content into an iframe with the proper sandbox attributes... _nods off
and dreams_

~~~
vortico
Wow, you could embed entire videos with the data: uri, or run entire web apps
with inline javascript with Lotus Notes if they don't sanitize it. Or
completely breach their privacy by scanning their LAN for webcam URLs or
taking screenshots with WebGL textures using Nvidia driver bugs... _nods off
and dreams_

~~~
mschuster91
No, that doesn't work with proper sandbox attribute. To quote w3schools
([http://www.w3schools.com/tags/att_iframe_sandbox.asp](http://www.w3schools.com/tags/att_iframe_sandbox.asp)):

When the sandbox attribute is present, and it will:

* treat the content as being from a unique origin

* block form submission

* block script execution

* disable APIs

* prevent links from targeting other browsing contexts

* prevent content from using plugins (through <embed>, <object>, <applet>, or other)

* prevent the content to navigate its top-level browsing context

* block automatically triggered features (such as automatically playing a video or automatically focusing a form control)

I'd say alone blocking scripts, form submits, preventing links to change other
contents and checking if there's behavior stuff in the CSS (which facilitates
Javascript injection) is enough to have a secure webmail display. Responsive
webmails \o/

~~~
Pxtl
Oh man, that _is_ a dream. I had no idea that this was a thing. Too bad
iframes themselves are kind of tricky to size correctly or I'd be using this
willy-nilly. Skip sanitizing HTML and use a full sandboxed HTML iFrame for
every comment on a user forum!

~~~
mschuster91
> Too bad iframes themselves are kind of tricky to size correctly

You could use an injected JS (postMessage with the iframe window height) and
update the iframe height from the outside. And for the content you should just
strip any script tags so you can safely allow scripting.

You should strip script tags in any case so that someone cannot use an API
call which outputs raw comments as a delivery vector.

Also, you're putting users without sandbox attribute support on risk of being
exploited... so you'd have to switch between two paths for display.

~~~
Pxtl
> Also, you're putting users without sandbox attribute support on risk of
> being exploited... so you'd have to switch between two paths for display.

An evil part of me considers that a feature, not a bug.

And as for stripping script tags, I'm always reminded of this story:

[http://blog.codinghorror.com/protecting-your-cookies-
httponl...](http://blog.codinghorror.com/protecting-your-cookies-httponly/)

------
rosalinekarr
This would be great for an email marketing campaign. You could probably get a
lot of people to refer their friends just for the opportunity to see some cool
animation or graphics.

------
SatoshiRoberts
HTML email made me think of IE6 as the iPhone 6. The rendering engines on most
clients are horrible.

~~~
mschuster91
tbh Thunderbird is the only standalone mail client using a full-featured
browser engine as backend. Even Outlook uses a castrated-beyond-belief IE.

~~~
ceejayoz
Some versions of Outlook use the even worse MS Word engine.

------
__jal
This is a really interesting hack.

I love things that exploit the oddities of the landscape to do artsy/funky
things; far more interesting than finding yet another way to trick someone
into installing a password stealer.

------
tdeck
This reminds me of the old concept of "tab damage"[1] on usenet/mailing lists.
People used to leave little "devices" in their signatures that based on this
that would point to the number of times a message had been forwarded or
quoted, because client software would typically indent the quoted message.

[1]
[http://linuxmafia.com/~rick/afw/#tabdamage](http://linuxmafia.com/~rick/afw/#tabdamage)

------
kecks
This can leak the user's client by changing links per client.

Make a link per identifiable client, show only the one for the current client,
and give each link a post/get parameter identifying the client. Quite easy to
do, but a lot of work to have broad client support.

Tada! I now know you read your email on your [obscure and bugged client],
which is susceptible to [this and that exploit].

~~~
Houshalter
Why not just insert the exploit into the first email? What do you gain by
identifying the client?

~~~
kecks
This is an exploit as well, just a different kind. It doesn't require any
programming errors in the clients, instead it relies on the non-
standardization of clients.

------
Pranz
Wow, this was a very creative use of forwarding.

------
rorykoehler
Nice work here and also nice post about the Brave thing and internet business
model on your site btw. I agree 100%.

------
alch-
That, sir, is totally awesome. Well played.

