4

My E-Mail is on Bell Net. I noticed today what I thought was a major security hole. Then I wasn't sure so I wanted to post this.

I discovered that even though I have logged off my E-Mail, I can still open attachments from my E-Mail. I viewed my browser history and I could easily open E-Mail attachments that I HAD open in a browser tab. I tried this for both images and pdfs. Then I tried this in Hotmail and this is not possible to do in Hotmail. I found that on the Bell Mail, when I logged out and cleared images from history, the image could still be viewed from the history. I had to clear Images + Cookies in order to be safe.

My concern is that in a public computer or if someone borrows your computer or you are visiting someone etc... even though you've logged out of your E-Mail, people can still view your attachments.

Is this a legit concern for my E-Mail Provider?

allo
  • 3,173
  • 11
  • 24
Denis H
  • 41
  • 1
  • Can someone guess the attachment URL? – Arminius Apr 10 '18 at 21:21
  • No. Only by seeing it in the Browser History. – Denis H Apr 10 '18 at 21:25
  • If you copy the attachment link to a different browser, can you still view the attachment there? If no, then this is likely a caching issue as @Overmind's answer says. If you can open the attachment, then it's a security weakness in the server. – Neil Smithline Apr 11 '18 at 14:20
  • Could you tell whatever at beginning of the URL you have `file://` or `http://` also if you are using Google Chrome or Firefox you could use developer tools with network tab to see whatever the resource was loaded from cache or from the Internet. – vakus Apr 11 '18 at 18:33
  • 1
    No, if I copy to a different browser, it will not open. – Denis H Apr 15 '18 at 13:05
  • 1
    Here is the beginning of the URL: https://webmail.bell.net/appsuite/api/mail/ – Denis H Apr 15 '18 at 13:06
  • I edited the title of your post to contain more information from your question. Feel free to edit it again if I got it wrong or you can improve it even more. – allo Jul 10 '18 at 11:23

2 Answers2

1

Use proper settings on your browser.

All attachments opened directly from your browser are cached by it, so yes, you can access them later. They did that as a feature...so they say. To prevent that, in all browsers now-days you can open your e-mail in private/no history mode and that way when you close the browser nothing is saved.

Personally, I don't open any files directly from browsers. I save them to a specific location and then I open/edit/delete them from there as needed.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • 1
    I don't think that we can know for certain that the attachment is coming from the cache and not over the network. I think we don't have enough data to know if this is a client caching symptom or a server weakness. – Neil Smithline Apr 11 '18 at 14:18
  • All cache documents by default. Includes: Opera, IE, FF, Chrome, Edge. So unless the browser is a more obscure one or one with addons/extensions that manage this functionality, it's safe to say that this is the case. – Overmind Apr 12 '18 at 10:23
  • 3
    If I delete the history and try the same url I get this error: Bad Request SVL-0002 Categories=ERROR Message='Missing cookie: ... – Denis H Apr 15 '18 at 13:08
  • If I haven't deleted the cache and I go into the cache and open the file, that's one thing. But since I'm accessing a URL, I'd think the first thing it should do on the server is check whether I am currently logged in and if not, say so. On the other hand if it can be accessed through the cache and not through the URL, it is still accessible. So perhaps my fault for not deleting the cache. – Denis H Apr 15 '18 at 13:14
  • It is not unreasonable to consider the local cache to **not** be private - your testing has shown that the issue is with content caching. The HTTP specs allow for content to cached only within the browser session (e.g. Cache-Control: max-age 3600,no-store) but I don't know how well this would be supported in practice. – symcbean Oct 08 '18 at 15:45
  • Offloading proper security to the (potentially not security-aware) enduser isn't ideal. As described by OP, this most certainly is a concern with regards to the email provider. When logging out, all session cookies should be invalidate, and when accessing sensitive data, the browser should be instructed not to cache it. OP can protect themselves from this vulnerability, but the answer to the question "Is this a legit concern for my E-Mail Provider?" is "yes" (not a large one, but if they can't get a relatively simple issue such as this right, I would at least wonder what else may be wrong). – tim May 06 '19 at 17:16
  • You browser saving cached files is not the concern of the e-mail providers. – Overmind May 07 '19 at 05:26
0

If it is only the attachments - then this is pretty much unavoidable currently. That's the point of attachments, they are intended to be downloaded to the client computer. In order to make the file available to a local application it needs to exist on the client's filesystem. Once downloaded they are no longer subject to the access control rules of the session nor the caching rules. Arguably they should still be subject to the latter - but that is an issue for the W3C and browser developers.

Some providers (e.g. gmail) offer some sort of online reader capability, but it is not reasonable for a webmail provider to provision an online reader capability for every possible file type with as much functionality as the native application.

A lot of the problem arises from an assumption by both providers and users that the users understand the technology they are using.

When I'm setting a computer to be used by more than one person, it is configured with seperate accounts for each user and appropriate permissions to prevent cross account file access (other than by explicit design). i.e. there a responsibility on anyone providing a computer to be used by multiple users to ensure the privacy of each user. But this is entirely invisible to the providers of websites.

Still, it could be worse.

symcbean
  • 18,278
  • 39
  • 73
  • 2
    There's no good reason for the *URL* to still be usable to open the attachment. The attachments should be served with caching prohibited, in which case the attachment needs to be fetched from the server each time. When you don't have an active session, such fetches should fail. – CBHacking May 31 '20 at 05:57