Welcome to the mailbox.org user forum!
 

CSS content IP Leak

2299664 shared this question 2 months ago
Need Answer

Hello. I am new user evaluating mailbox.org.

I am currently testing the resistance of the webmail environment against IP tracking. Unfortunately, when I ran some tests via https://www.emailprivacytester.com/ I notice my IP leaks through CSS Content being loaded

( In the <body> of the HTML part, place a tag as follows:<p style="content:url('http://TRACKING_URL/')"></p> )

In other words, even with automatic displaying of external images being off per default, it is still possible to track my WAN IP when using the Mailbox.org webmail.

Can this be fixed?

Comments (2)

photo
1

Would you be able to give more details on that?You wrote:

( In the <body> of the HTML part, place a tag as follows:<p style="content:url('http://TRACKING_URL/')"></p> )

but if the tracking URL is empty as in your quote, where's the issue?

photo
1

If this URL would be on your server, you would be able to gather my IP in your server logs when I would open this email. Please execute the tests on the website I mentioned, and see for yourself. You can also test different clients, as not each client exposes you to the same risks.

By the way, I was successfully able to fix the problem by not showing email in html format by default. You can do this at Settings > Mail > View > disable 'Allow html formatted emails'.

photo