GrowlMail = security problem????

3 views
Skip to first unread message

TigerMo

unread,
Dec 28, 2009, 10:50:12 PM12/28/09
to Growl Discuss
The following was posted on another site:
I’d like to mention a big flaw in GrowlMail that everyone should think
about. It ignores your load/don’t load image settings in mail, meaning
that it confirms your email address and ip address to every spammer
and targeted advertiser on the planet. Not Good.

Is this true (minus the exaggeration)?

Chris Forsythe

unread,
Dec 28, 2009, 11:08:52 PM12/28/09
to growld...@googlegroups.com
This was reported in multiple ways. I think the response here from
mickeyc covers possibly what you are seeing:

http://forums.cocoaforge.com/viewtopic.php?p=121110#p121110

Also, this is already filed:

http://code.google.com/p/growl/issues/detail?id=89

So far it's targeted for the next minor release, however that is
subject to change.

Chris

> --
>
> You received this message because you are subscribed to the Google
> Groups "Growl Discuss" group.
> To post to this group, send email to growld...@googlegroups.com.
> To unsubscribe from this group, send email to growldiscuss...@googlegroups.com
> .
> For more options, visit this group at http://groups.google.com/group/growldiscuss?hl=en
> .
>
>

Peter Hosey

unread,
Dec 28, 2009, 11:09:57 PM12/28/09
to growld...@googlegroups.com
On Dec 28, 2009, at 19:50:12, TigerMo wrote:
> I’d like to mention a big flaw in GrowlMail that everyone should think
> about. It ignores your load/don’t load image settings in mail, …

True. This is a known bug. We're just not yet sure how.

> … meaning that it confirms your email address and ip address to

> every spammer and targeted advertiser on the planet.

Can be true.

It definitely will tell them your IP address (when your machine
requests an image, the response has to go *somewhere*, and that
somewhere is the return address of the request), but that's
meaningless to anyone but your ISP. The worst anyone can do with an IP
address (without being an employee of your ISP or a member of law
enforcement) is guess your rough geographical location, and that's
*very* rough: My IP addresses show up to people as being in Long
Beach, which is a non-trivial drive away from here.

A spammer *may* base image addresses on the recipient's email address,
but this requires generating a different spam message for every
recipient. That's possible, and I'm sure some spammers do it, but not
all, because it slows down how fast they can pump out spam (easier to
send exactly the same message to everybody). When they do, yes,
loading such an image address will confirm the email address.

That's why we want to fix it.

Reply all
Reply to author
Forward
0 new messages