My name is Vadym, I am from Anti-Malware Lab (former Kromtech Security Center). Our research project focused on monitoring digital risks and privacy violations. Here’re our recent research findings. If you have questions, concerns or ideas to update it―please, comment here or contact me.TL;DR
If you were wondering whether you can rely on the privacy email trackers in Chrome, the short answer is: Not really.Two of the three most popular email tracking extensions we analyzed are receiving content from the body of your email even if this is not necessary.The Long [detailed] Answer
You have to watch your back in extension stores. This is especially true in Chrome with the almost 60 percent market share that makes the browser a nice piece of pie for cybercriminals. Google says that 70 percent of the malicious extensions are blocked, but a steady stream of recent research findings show that the problem is far from resolved.
I want to emphasize that extensions shouldn’t be malicious to be dangerous. The collection of unnecessary (for extension work) user data could potentially lead to problems on par with malware cases.
Based on feedback from some of our users, we decided to analyse three popular free mail trackers ― Yesware, Mailtrack, and Docsify. Each of them allows tracking email open and reply rates, link clicks, attachment opens, and presentation pageviews as well as allowing copies of important emails to be sent directly to your CRM automatically.
Usually, such extensions only require this level of permission on a specific website. For example, the official Google Mail Checker (email tracking for Gmail) asks to “Read and change your data on all google.com sites.”
As far as I can tell, the extension developers decided to ask for “unlimited” permission instead of bothering you with an extended list of websites where their extension is going to interact. However, you need to understand that in accepting this you are giving Yesware much more accessibility than it needs for its actual work.
Interestingly, we noticed that after confirming the permissions for the extension, you then have to confirm other permissions ― for the app.
It’s important to know that permissions that present like the screenshot above are related to the app, not the extension.
What does it mean? Essentially, if you decide to delete the extension, the app will still have an access to your data.
Similarly, Docsify asks permission to read and change all your data on the websites you visit. Permissions are required by the application as well.
Mailtrack,in contrast to the first example, doesn’t ask users to access to all websites, only email-related websites.
These permissions are standard for this type of extension ― to read, send, delete, and manage the emails.
The Email Data TheyGet
The most interesting part of our investigation came from analyzing the email content which every extension collects and processes. At this stage, we used Burp , a tool for testing Web application security. Its proxy server tool allows us to inspect the raw data passing in both directions ― in our case, from sender to extension data storage.Yesware Email Data Collection
To be clear, we tested the free version of Yesware without CRM integration. After composing and sending an email, we checked the host app.yesware.com in Burp to find the data from the email message that was sent there.
Our sample email with tracking features turned on inYesware.
It’s easy to notice that our email body went to the Yesware host. In other words, the extension collected and processed the entire content of this personal email.
It’s easy to notice that our mail body went to the Yesware host. In other words, the extension collected and processed the entire content of this personal email.
The data we found withBurp.
Surprisingly and importantly, when we deselected the Track and CRM checkboxes in order to stop tracking any activity related to your emails ― t he situation remained the same.
The content of the second email with tracking featuresoff.
The Yesware sent the body of an email even in this case.
The Burp analysis of the secondcase.
We determined that only by turning off all the features in the extension preferences helped. In this case no data was sent to host.
In order to get an explanation for all this, we sent an email to Yesware support. The first email to firstname.lastname@example.org . (12 October 2018) you can find below.
Dear Yesware Security TeamMy name is Vadym, I am security researcher with Kromtech Alliance Corp. ( https://kromtech.com/ ) We are product developer company, with malware analysis as one of our activities. During the recent research our team discovered, that “Yesware Email Tracking” Chrome extension sends an e-mail body to domain app.yesware.com even if user turned trac