Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?

0
0

My name is Vadym, I am from Anti-Malware Lab (former Kromtech Security Center). Our research project focused on monitoring digital risks and privacy violations. Here’re our recent research findings. If you have questions, concerns or ideas to update it―please, comment here or contact me.

TL;DR

If you were wondering whether you can rely on the privacy email trackers in Chrome, the short answer is: Not really.Two of the three most popular email tracking extensions we analyzed are receiving content from the body of your email even if this is not necessary.

The Long [detailed] Answer

You have to watch your back in extension stores. This is especially true in Chrome with the almost 60 percent market share that makes the browser a nice piece of pie for cybercriminals. Google says that 70 percent of the malicious extensions are blocked, but a steady stream of recent research findings show that the problem is far from resolved.

I want to emphasize that extensions shouldn’t be malicious to be dangerous. The collection of unnecessary (for extension work) user data could potentially lead to problems on par with malware cases.

Based on feedback from some of our users, we decided to analyse three popular free mail trackers ― Yesware, Mailtrack, and Docsify. Each of them allows tracking email open and reply rates, link clicks, attachment opens, and presentation pageviews as well as allowing copies of important emails to be sent directly to your CRM automatically.

We looked at the permissions that each extension requests, the actual data from your email that goes to the extensions’ hosts, and how this is all shown in the Privacy Policy. Here’s a breakdown of what we found.

The Permissions YouGive Installing Yesware is accompanied with the standard permissions it requires. The most nefarious looking request is to “Read and change all your data on [all] websites you visit.”

Usually, such extensions only require this level of permission on a specific website. For example, the official Google Mail Checker (email tracking for Gmail) asks to “Read and change your data on all google.com sites.”

As far as I can tell, the extension developers decided to ask for “unlimited” permission instead of bothering you with an extended list of websites where their extension is going to interact. However, you need to understand that in accepting this you are giving Yesware much more accessibility than it needs for its actual work.


Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?

Interestingly, we noticed that after confirming the permissions for the extension, you then have to confirm other permissions ― for the app.


Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?
Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?

It’s important to know that permissions that present like the screenshot above are related to the app, not the extension.

What does it mean? Essentially, if you decide to delete the extension, the app will still have an access to your data.


Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?

Similarly, Docsify asks permission to read and change all your data on the websites you visit. Permissions are required by the application as well.


Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?

Mailtrack,in contrast to the first example, doesn’t ask users to access to all websites, only email-related websites.


Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?

These permissions are standard for this type of extension ― to read, send, delete, and manage the emails.


Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?
Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?
The Email Data TheyGet

The most interesting part of our investigation came from analyzing the email content which every extension collects and processes. At this stage, we used Burp , a tool for testing Web application security. Its proxy server tool allows us to inspect the raw data passing in both directions ― in our case, from sender to extension data storage.

Yesware Email Data Collection

The Yesware Privacy Policy and Terms of Use don’t include information regarding storage of the data from your email. However, our research shows that the app does manage email data storage.

To be clear, we tested the free version of Yesware without CRM integration. After composing and sending an email, we checked the host app.yesware.com in Burp to find the data from the email message that was sent there.


Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?
Our sample email with tracking features turned on inYesware.

It’s easy to notice that our email body went to the Yesware host. In other words, the extension collected and processed the entire content of this personal email.

It’s easy to notice that our mail body went to the Yesware host. In other words, the extension collected and processed the entire content of this personal email.


Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?
The data we found withBurp.

Surprisingly and importantly, when we deselected the Track and CRM checkboxes in order to stop tracking any activity related to your emails ― t he situation remained the same.


Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?
The content of the second email with tracking featuresoff.

The Yesware sent the body of an email even in this case.


Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?
The Burp analysis of the secondcase.

We determined that only by turning off all the features in the extension preferences helped. In this case no data was sent to host.


Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?

In order to get an explanation for all this, we sent an email to Yesware support. The first email to support@yesware.zendesk.com . (12 October 2018) you can find below.

Dear Yesware Security Team

My name is Vadym, I am security researcher with Kromtech Alliance Corp. ( https://kromtech.com/ ) We are product developer company, with malware analysis as one of our activities. During the recent research our team discovered, that “Yesware Email Tracking” Chrome extension sends an e-mail body to domain app.yesware.com even if user turned trac

Viewing all articles
Browse latest Browse all 12749