EPIM enail privacy risk.

General talks about EssentialPIM

Moderators: TerryRogers, Max

SilverSound
Novice
Posts: 8
Joined: Tue Jun 09, 2020 6:46 am

EPIM enail privacy risk.

Post by SilverSound »

I was looking through my firewall log and found a ton of hits to spy and tracking companies coming from EPIM. I tracked it down to the emails.

It appears EPIM is in desperate need of privacy improvements for it's email system as it's rendering engine is being heavily exploited even with the display of images turned off. There's really no point in not displaying images if all the tracking hits are going to go through anyway.

I checked four other email clients I used and none of them are suffering from this issue.

a8907433
Guru
Posts: 566
Joined: Fri Mar 12, 2010 11:57 pm
Been thanked: 111 times

Re: EPIM enail privacy risk.

Post by a8907433 »

Is this also true for spam-emails when I checked "Automatically mark spam messages as read"? This really would be bad!

MetalDrop
Guru
Posts: 655
Joined: Sat Apr 09, 2016 10:19 pm
Been thanked: 136 times

Re: EPIM enail privacy risk.

Post by MetalDrop »

a8907433 wrote:
Thu Jun 25, 2020 6:00 pm
Is this also true for spam-emails when I checked "Automatically mark spam messages as read"? This really would be bad!
This has been talked about before somewhere...

My tests always showed that the emails have to be rendered [opened/previewed] in the IE frame, so since things that are caught by a filter are never rendered they don't ever leak.

Of course when it comes to personal data mining true spam rarely has much to worry about since they are normally always fishing scams, attachment exploits, site redirect attacks... or other things that need direct user interaction.

The email you need to be the most concerned about for privacy mining are order invoices, company news letters, opt-in marketing lists, social network notices, various account update notices...etc. Which are all normally things you don't want marked as spam, and usually even want to read.
Windows 7 64-bit US-ENG & Windows 10 64-bit US-ENG, Intel i7 7700k, 32GB DDR4, Nvidia & AMD Ryzen 2600 16GB DDR4 Nvidia 1080ti
[I'm helpful and often reply to questions, please note however I am just a fellow user and not staff.]

a8907433
Guru
Posts: 566
Joined: Fri Mar 12, 2010 11:57 pm
Been thanked: 111 times

Re: EPIM enail privacy risk.

Post by a8907433 »

This has been talked about before somewhere...
I know, I remember. But not with exactly this information SilverSound wrote.
My tests always showed that the emails have to be rendered [opened/previewed] in the IE frame, so since things that are caught by a filter are never rendered they don't ever leak.

Of course when it comes to personal data mining true spam rarely has much to worry about since they are normally always fishing scams, attachment exploits, site redirect attacks... or other things that need direct user interaction.
Thus is exactly, what I wanted to hear! Is this here a "I like EPIM" bubble?? :lol:

Thanks, MetalDrop!

Max
Site Admin
Posts: 21709
Joined: Wed Dec 08, 2004 11:39 pm
Has thanked: 819 times
Been thanked: 363 times
Contact:

Re: EPIM enail privacy risk.

Post by Max »

SilverSound, please turn off rendering of images and if the requests still come through, please export this email to EML and attach here or send via email.
Normally this should not be happening.
Maxim,
EPIM Team

SilverSound
Novice
Posts: 8
Joined: Tue Jun 09, 2020 6:46 am

Re: EPIM enail privacy risk.

Post by SilverSound »

Max wrote:
Sat Jun 27, 2020 3:21 pm
SilverSound, please turn off rendering of images and if the requests still come through, please export this email to EML and attach here or send via email.
Normally this should not be happening.
Attached is:
An email
A photo of my email display settings
A photo of the firewall log showing all the connections blocked by the provided email.
You do not have the required permissions to view the files attached to this post.

Max
Site Admin
Posts: 21709
Joined: Wed Dec 08, 2004 11:39 pm
Has thanked: 819 times
Been thanked: 363 times
Contact:

Re: EPIM enail privacy risk.

Post by Max »

Thank you for the email, we are looking into this.
Maxim,
EPIM Team

a8907433
Guru
Posts: 566
Joined: Fri Mar 12, 2010 11:57 pm
Been thanked: 111 times

Re: EPIM enail privacy risk.

Post by a8907433 »

Now I had a closer look at my emails, and I compared them to the same emails in Thunderbird and I found out: EPIM 9.1 pro portable is NOT BLOCKING EXTERNAL IMAGES AT ALL!!! The "Don´t show external images in messages" is set! Setting "Don´t show external images in messages" on/off has no effect at all, there is no difference.

Max
Site Admin
Posts: 21709
Joined: Wed Dec 08, 2004 11:39 pm
Has thanked: 819 times
Been thanked: 363 times
Contact:

Re: EPIM enail privacy risk.

Post by Max »

a8907433 wrote:
Mon Jun 29, 2020 4:26 pm
Now I had a closer look at my emails, and I compared them to the same emails in Thunderbird and I found out: EPIM 9.1 pro portable is NOT BLOCKING EXTERNAL IMAGES AT ALL!!! The "Don´t show external images in messages" is set! Setting "Don´t show external images in messages" on/off has no effect at all, there is no difference.
We will be checking this, thank you! So far I appear to be able to reproduce the issue.
Maxim,
EPIM Team

SilverSound
Novice
Posts: 8
Joined: Tue Jun 09, 2020 6:46 am

Re: EPIM enail privacy risk.

Post by SilverSound »

In version 9.1.1 the email I posted earlier no longer seems to leak. However others still are leaking with images turned off.

Attached are three of them along with screenshots of what was blocked.
You do not have the required permissions to view the files attached to this post.

admin
Site Admin
Posts: 8244
Joined: Thu Nov 25, 2004 3:12 am
Has thanked: 754 times
Been thanked: 387 times

Re: EPIM enail privacy risk.

Post by admin »

Thanks, will have a look at it again.
Android version of EssentialPIM. Keep all your data in sync!

admin
Site Admin
Posts: 8244
Joined: Thu Nov 25, 2004 3:12 am
Has thanked: 754 times
Been thanked: 387 times

Re: EPIM enail privacy risk.

Post by admin »

We couldn't reproduce the issue on 9.1.1 anymore. Please check if the option not to load images is enabled in settings. If so, what about the sub-option to ignore the master option if the sender is in your contacts? If the sub option is enabled and the sender is in your contacts, then all's working correctly.
Android version of EssentialPIM. Keep all your data in sync!

SilverSound
Novice
Posts: 8
Joined: Tue Jun 09, 2020 6:46 am

Re: EPIM enail privacy risk.

Post by SilverSound »

admin wrote:
Sat Jul 04, 2020 3:04 pm
We couldn't reproduce the issue on 9.1.1 anymore. Please check if the option not to load images is enabled in settings. If so, what about the sub-option to ignore the master option if the sender is in your contacts? If the sub option is enabled and the sender is in your contacts, then all's working correctly.
My setting are still the same from last time.

All external images are not allowed.
2020-07-04_075219.png
You do not have the required permissions to view the files attached to this post.

MetalDrop
Guru
Posts: 655
Joined: Sat Apr 09, 2016 10:19 pm
Been thanked: 136 times

Re: EPIM enail privacy risk.

Post by MetalDrop »

I'm seeing a lot of leaking still too.

My email display settings are the same, No external images, no exceptions for contacts.

Here are my results using ProcessMonitor and going through a couple of dozen recently deleted emails:
Fast scroll through recetnly deleted.png
You do not have the required permissions to view the files attached to this post.
Windows 7 64-bit US-ENG & Windows 10 64-bit US-ENG, Intel i7 7700k, 32GB DDR4, Nvidia & AMD Ryzen 2600 16GB DDR4 Nvidia 1080ti
[I'm helpful and often reply to questions, please note however I am just a fellow user and not staff.]

admin
Site Admin
Posts: 8244
Joined: Thu Nov 25, 2004 3:12 am
Has thanked: 754 times
Been thanked: 387 times

Re: EPIM enail privacy risk.

Post by admin »

We use IE's rendering engine. When you open an email it renders out HTML, what it also does in the background, we have no control over. Although one thing is certain - it's not trying to load images when such option is enabled.
Android version of EssentialPIM. Keep all your data in sync!

Post Reply