Critical Roundcube Webmail Vulnerability Allows Email Tracking Despite Privacy Settings
Roundcube, a widely used open-source webmail client, has recently addressed a significant security flaw that compromised user privacy. This vulnerability enabled attackers to track when emails were opened, even if users had configured their settings to block remote images.
Understanding the Vulnerability
The core of this issue resided in Roundcube’s HTML sanitizer, `rcube_washtml`, which is designed to cleanse incoming email content to prevent cross-site scripting (XSS) attacks and protect user privacy. When users set the `allow_remote` option to false, the sanitizer intercepts HTML attributes that could load external resources, such as those in ``, `
However, the sanitizer did not recognize the SVG element `
Exploitation Mechanism
An attacker could exploit this flaw by embedding an invisible 1×1 SVG in an email. Within this SVG, a filter definition using `
By leveraging this vulnerability, malicious actors could:
– Confirm the validity of an email address.
– Log the recipient’s IP address.
– Fingerprint the victim’s browser and device.
Resolution and Recommendations
To address this vulnerability, Roundcube has released versions 1.5.13 and 1.6.13. The fix involves updating the regular expression logic within `is_image_attribute()` to explicitly recognize `feimage` alongside `image` and `use` when inspecting `href` attributes. This ensures that any attempt to load external resources via SVG filters is caught and blocked by the strict image sanitization rules.
Administrators managing self-hosted instances of Roundcube are strongly urged to upgrade to the latest versions immediately to safeguard user privacy.
