The Cookie Leak Security Hole in HTML Email messages

Web Programming > Internet Privacy > Email Cookie Leak Security Hole

Richard M. Smith (
November 30, 1999

Since the invention of Web browser cookies by Netscape, the claim has always been made that they are anonymous and cannot be associated with any personal information unless someone provides this information.

In this write-up, I will present a technique in which browser cookies can be matched to Email addresses without people's knowledge. The technique relies on a security hole that is present in both Microsoft's Internet Explorer browser and Netscape's Navigator browser. This technique can be used, for example, to allow a banner ad company to associate an Email address with a "anonymous" profile that has been created for a person as they surf the Web. Once a banner ad company has an Email address tied to a profile, they can provide a service to advertisers of customized ads in "junk" Email message. These ads can be based on profiles previously created from Web site visits. In addition, banner ad companies can offer the service of sending out "junk" Email messages to people who visit a particular Web site. This last service makes Web surfing much less private.

First off, the syncing of an cookie to an Email address must be done in an Email message. It addition, it requires the message to be formatted as an HTML message and therefore the person receiving the message must be using an HTML-enabled Email reader. Most of the standard Email readers in use today, such as Outlook, Outlook Express, Netscape Messenger, and Eudora are HTML-enabled. Also, Web-based Email systems such as Hotmail and Yahoo Mail are HTML-enabled.

The basic technique is for an HTML message to include a graphics in an HTML Email message that is loaded from a Web server belonging to a banner ad company. This graphics is specified using a standard HTML IMG tag. For example, this IMG tag will fetch a graphics named "SYNC.GIF" from a Web server belonging to (a fictitious company):

The key thing here is that the company sending out the Email message knows your Email address. They have to in order to send out the message. In addition, it is easy for them to create custom mail messages for each person that they send mail to.

The final HTTP GET request then to fetch SYNC.GIF will look something like the following in Outlook:

GET /sync.gif? HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Connection: Keep-Alive
Cookie: id=943977050
In Netscape Messenger, the GET request looks like:
GET /sync.gif? HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.7 [en] (Win98; I)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Cookie: id=c643640a
Both the Email address and cookie value is included in the Outlook and Messenger GET requests.

When the GET request is processed by the MyBannerAds server. It first extracts the customer id number from the cookie and looks it up its database of "anonymous" profiles of Web surfers. Once it has located the profile, it then extracts the Email address from the URL query string, turning a once "anonymous" profile into an "identified" profile.

So where does MyBannerAds get the Email addresses in first place to send out a message which includes the SYNC.GIF file? The answer is quite simple, they "rent" the Email addresses. Or more specifically, the rent space in junk Email messages that are already being sent out. The IMG tags typically take less than 100 bytes, so they can easily be embedded in messages that are part of any Email ad campaign that is using HTML Email messages.

Another interesting question is what do users see on the screen for the SYNC.GIF file. The answer is nothing. The GIF file can be a 1-by-1 image that is completely invisible. The technique of including invisible images in junk Email messages is already quite common today and they are used for the purpose of checking to see if a junk Email has been read or not.

I've nicknamed these 1-by-1 GIFs "Web Bugs". They are also known as "clear GIFs" and "invisible pixels". More information about Web Bugs can be found at:
Here is some examples of Web Bugs, that I've received in junk Email messages over the last few months:


   (Email address is encrypted)
You will notice that these Web Bugs look very similar to the IMG tag for the SYNC.GIF file used for syncing a cookie to an Email address. The only difference being that the Web Bugs being used today go back to the Email servicing company that sent out the Email message and not to a banner ad company. This means that the Email servicing companies already have the technology in place to send out GIF images to sync up cookies and Email addresses. The only change required is to generate a different server name in the Web Bug URLs.

To sync up as many profiles as possible, a banner ad company would have to rent out space on many different mailing list. Many millions of messages would have to sent out for them to learn the Email addresses of a useful percentage of their profile database. However, given that the overhead of the GIF file tags is very low, it wouldn't be too difficult to rent space in many different Email lists.

This technique also becomes extremely easy if a banner ad company is sending out the Email messages themselves because they've entered into the Email servicing business or have acquired a servicing company.

In summary, the key point to look out for here is the technical progress in the banner ad business. If banner ad companies enter the Email servicing business they'll be putting themselves in a very good position to also know the identity of people who are surfing to Web sites. Using the technique I've outlined in this write-up, the Email servicing side of the business can easily provide Email addresses to the banner ad side of the business.

This "progress" represents yet another step in the erosion of privacy on the Internet. The best solution to this problem, I believe, is a technical one. That is, Microsoft and Netscape should fix the security holes in their respective Web browser products that allow cookies to be sent out from HTML Email messages.