EPIM enail privacy risk.

General talks about EssentialPIM

Moderators: TerryRogers, Max

SilverSound
Expert
Posts: 73
Joined: Tue Jun 09, 2020 6:46 am
Been thanked: 4 times

EPIM enail privacy risk.

Post by SilverSound »

I was looking through my firewall log and found a ton of hits to spy and tracking companies coming from EPIM. I tracked it down to the emails.

It appears EPIM is in desperate need of privacy improvements for it's email system as it's rendering engine is being heavily exploited even with the display of images turned off. There's really no point in not displaying images if all the tracking hits are going to go through anyway.

I checked four other email clients I used and none of them are suffering from this issue.
a8907433
Guru
Posts: 1047
Joined: Fri Mar 12, 2010 11:57 pm
Been thanked: 170 times

Re: EPIM enail privacy risk.

Post by a8907433 »

Is this also true for spam-emails when I checked "Automatically mark spam messages as read"? This really would be bad!
MetalDrop
Guru
Posts: 866
Joined: Sat Apr 09, 2016 10:19 pm
Been thanked: 189 times

Re: EPIM enail privacy risk.

Post by MetalDrop »

a8907433 wrote: Thu Jun 25, 2020 6:00 pm Is this also true for spam-emails when I checked "Automatically mark spam messages as read"? This really would be bad!
This has been talked about before somewhere...

My tests always showed that the emails have to be rendered [opened/previewed] in the IE frame, so since things that are caught by a filter are never rendered they don't ever leak.

Of course when it comes to personal data mining true spam rarely has much to worry about since they are normally always fishing scams, attachment exploits, site redirect attacks... or other things that need direct user interaction.

The email you need to be the most concerned about for privacy mining are order invoices, company news letters, opt-in marketing lists, social network notices, various account update notices...etc. Which are all normally things you don't want marked as spam, and usually even want to read.
EPIM Portable Pro Running/Tested On: Windows 11 Pro 64-bit US-ENG|i5-6400+Quadro P620|i7-7700K+1050ti|i7-8700K+970GTX|AMD 5600x+1080ti|16GB+RAM&NVMe SSDs
[I'm helpful and often reply to questions, however I am just a fellow user and not staff.]
a8907433
Guru
Posts: 1047
Joined: Fri Mar 12, 2010 11:57 pm
Been thanked: 170 times

Re: EPIM enail privacy risk.

Post by a8907433 »

This has been talked about before somewhere...
I know, I remember. But not with exactly this information SilverSound wrote.
My tests always showed that the emails have to be rendered [opened/previewed] in the IE frame, so since things that are caught by a filter are never rendered they don't ever leak.

Of course when it comes to personal data mining true spam rarely has much to worry about since they are normally always fishing scams, attachment exploits, site redirect attacks... or other things that need direct user interaction.
Thus is exactly, what I wanted to hear! Is this here a "I like EPIM" bubble?? :lol:

Thanks, MetalDrop!
Max
Site Admin
Posts: 21714
Joined: Wed Dec 08, 2004 11:39 pm
Has thanked: 819 times
Been thanked: 364 times
Contact:

Re: EPIM enail privacy risk.

Post by Max »

SilverSound, please turn off rendering of images and if the requests still come through, please export this email to EML and attach here or send via email.
Normally this should not be happening.
Maxim,
EPIM Team
SilverSound
Expert
Posts: 73
Joined: Tue Jun 09, 2020 6:46 am
Been thanked: 4 times

Re: EPIM enail privacy risk.

Post by SilverSound »

Max wrote: Sat Jun 27, 2020 3:21 pm SilverSound, please turn off rendering of images and if the requests still come through, please export this email to EML and attach here or send via email.
Normally this should not be happening.
Attached is:
An email
A photo of my email display settings
A photo of the firewall log showing all the connections blocked by the provided email.
Attachments
2020_06_26_15_10 Films to Watch This Weekend.zip
(28.32 KiB) Downloaded 150 times
2020-06-27_084212.png
2020-06-27_083956.png
Max
Site Admin
Posts: 21714
Joined: Wed Dec 08, 2004 11:39 pm
Has thanked: 819 times
Been thanked: 364 times
Contact:

Re: EPIM enail privacy risk.

Post by Max »

Thank you for the email, we are looking into this.
Maxim,
EPIM Team
a8907433
Guru
Posts: 1047
Joined: Fri Mar 12, 2010 11:57 pm
Been thanked: 170 times

Re: EPIM enail privacy risk.

Post by a8907433 »

Now I had a closer look at my emails, and I compared them to the same emails in Thunderbird and I found out: EPIM 9.1 pro portable is NOT BLOCKING EXTERNAL IMAGES AT ALL!!! The "Don´t show external images in messages" is set! Setting "Don´t show external images in messages" on/off has no effect at all, there is no difference.
Max
Site Admin
Posts: 21714
Joined: Wed Dec 08, 2004 11:39 pm
Has thanked: 819 times
Been thanked: 364 times
Contact:

Re: EPIM enail privacy risk.

Post by Max »

a8907433 wrote: Mon Jun 29, 2020 4:26 pm Now I had a closer look at my emails, and I compared them to the same emails in Thunderbird and I found out: EPIM 9.1 pro portable is NOT BLOCKING EXTERNAL IMAGES AT ALL!!! The "Don´t show external images in messages" is set! Setting "Don´t show external images in messages" on/off has no effect at all, there is no difference.
We will be checking this, thank you! So far I appear to be able to reproduce the issue.
Maxim,
EPIM Team
SilverSound
Expert
Posts: 73
Joined: Tue Jun 09, 2020 6:46 am
Been thanked: 4 times

Re: EPIM enail privacy risk.

Post by SilverSound »

In version 9.1.1 the email I posted earlier no longer seems to leak. However others still are leaking with images turned off.

Attached are three of them along with screenshots of what was blocked.
Attachments
Email leaks 9.1.1.zip
(53.59 KiB) Downloaded 146 times
Email Leaks 9.1.1 Extra email.zip
(48.65 KiB) Downloaded 144 times
admin
Site Admin
Posts: 15601
Joined: Thu Nov 25, 2004 3:12 am
Has thanked: 1411 times
Been thanked: 984 times

Re: EPIM enail privacy risk.

Post by admin »

Thanks, will have a look at it again.
Android version of EssentialPIM. Keep all your data in sync!
admin
Site Admin
Posts: 15601
Joined: Thu Nov 25, 2004 3:12 am
Has thanked: 1411 times
Been thanked: 984 times

Re: EPIM enail privacy risk.

Post by admin »

We couldn't reproduce the issue on 9.1.1 anymore. Please check if the option not to load images is enabled in settings. If so, what about the sub-option to ignore the master option if the sender is in your contacts? If the sub option is enabled and the sender is in your contacts, then all's working correctly.
Android version of EssentialPIM. Keep all your data in sync!
SilverSound
Expert
Posts: 73
Joined: Tue Jun 09, 2020 6:46 am
Been thanked: 4 times

Re: EPIM enail privacy risk.

Post by SilverSound »

admin wrote: Sat Jul 04, 2020 3:04 pm We couldn't reproduce the issue on 9.1.1 anymore. Please check if the option not to load images is enabled in settings. If so, what about the sub-option to ignore the master option if the sender is in your contacts? If the sub option is enabled and the sender is in your contacts, then all's working correctly.
My setting are still the same from last time.

All external images are not allowed.
2020-07-04_075219.png
2020-07-04_075219.png (3.5 KiB) Viewed 5844 times
MetalDrop
Guru
Posts: 866
Joined: Sat Apr 09, 2016 10:19 pm
Been thanked: 189 times

Re: EPIM enail privacy risk.

Post by MetalDrop »

I'm seeing a lot of leaking still too.

My email display settings are the same, No external images, no exceptions for contacts.

Here are my results using ProcessMonitor and going through a couple of dozen recently deleted emails:
Fast scroll through recetnly deleted.png
EPIM Portable Pro Running/Tested On: Windows 11 Pro 64-bit US-ENG|i5-6400+Quadro P620|i7-7700K+1050ti|i7-8700K+970GTX|AMD 5600x+1080ti|16GB+RAM&NVMe SSDs
[I'm helpful and often reply to questions, however I am just a fellow user and not staff.]
admin
Site Admin
Posts: 15601
Joined: Thu Nov 25, 2004 3:12 am
Has thanked: 1411 times
Been thanked: 984 times

Re: EPIM enail privacy risk.

Post by admin »

We use IE's rendering engine. When you open an email it renders out HTML, what it also does in the background, we have no control over. Although one thing is certain - it's not trying to load images when such option is enabled.
Android version of EssentialPIM. Keep all your data in sync!
Post Reply