

IPhone & Apple Mail Privacy Hole - davecardwell
https://secure.grepular.com/blog/index.php/2009/10/02/apple-mail-privacy-hole/

======
Sidnicious
Responsible disclosure, anyone? I'm all for revealing the details of bugs so
that we can learn from each other's mistakes, but at least give Apple a few
weeks to patch the thing before blogging about it.

Also, I don't think the iPhone has the option to disable loading of remote
content in HTML email at all (IT SHOULD), so no bug there.

~~~
davecardwell
My iPhone running 3.1 does; Settings -> Mail, Contacts, Calendars -> Load
Remote Images -> On/Off

~~~
Sidnicious
Woah, is that new in 3.1? I never saw it before.

It's a great improvement, but I wish there were an option to load images on a
per-message basis, like on the desktop.

~~~
onedognight
It's in 3.0.

------
mike463
I think I saw something like this a long time ago (pre-leopard).

I was running Little Snitch and while reading a specific email message, Little
Snitch told me Mail.app was trying to connect using port 80. I denied it, but
never tracked it down.

This is different than .mac addresses -- Mail.app will connect to .mac when
you receive mail from someone with a .mac address (to verify if they're
online, which you can disable I believe)

------
pclark
why is this a _serious_ privacy hole?

~~~
raintrees
It is my understanding that this is a way for spammers to fish out legitimate
email addresses. If the content is pulled from the server, the email address
must be real.

At least, this is what I tell my clients when recommending turning off HTML
content from untrusted email sources.

~~~
mickeyc
Correct. If I send a specially formatted email to an iPhone or Apple Mail user
and they read it, completely transparently to them, I will be get
"notification" of when they read it and what IP address they read it from.
Even if they tell their client to not load remote images and to not honour
read receipts.

~~~
axod
And then they just put it in spam folder and what do you do with this
information (They read it from this IP)? Sure, you know that email address is
live and active, but what good is that info?

~~~
Sidnicious
Actually, they make the request to a unique URL which is tied to your email
address and that particular "campaign", letting the sender know that you
opened and read the email — and that you're probably a good person to send
loads more spam to.

~~~
axod
The problem of spam email is largely solved though for people who are using
the right tools.

I don't see it as a big deal personally if a sender of email finds out if it
was opened or not.

~~~
Sidnicious
Regardless of how good spam filters are today, not opening the emails leaves
you with less spam, and a lower chance of false positives/negatives in the
long term.

