3

As reported in the NY Times, there was some type of electronic spying in a high-profile military trial. Its claimed that the prosecutors were spying on the defense:

The court-martial ... has been thrown into turmoil by, of all things, a harmless-looking image of a bald eagle perched on the scales of justice.

The bit of digital artwork, embedded in an email message, contained hidden software that could track if anyone read or forwarded the email, and may have also been able to allow access to all communications and files on the recipients’ computers, defense lawyers argue in court filings.

I'm interested in what specifically happened here, if it is publicly known. I didn't think simply viewing an image in an email could be used to execute any kind of malware on a recipient's PC. Perhaps a vulnerability in a specific email client was taken advantage of?

Further quotes from the article:

[the senders] acknowledged in a statement it used “an audit capability” in the course of its investigation into the leaks, but said, “It is not malware, not a virus, and does not reside on computer systems. There is no risk that systems are corrupted or compromised.”

...

Defense lawyers grew suspicious when the bald-eagle image did not load correctly on some email accounts, and instead appeared as a hyperlink to a nonmilitary server.

A screenshot of one of the emails:

enter image description here

I could see how the embedded image could be used to identify which recipients viewed the email (or at least their IP perhaps) but no more than that.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
StayOnTarget
  • 131
  • 4
  • 1
    Probably looks that tracking the IP by downloading the image, but this depends on the client used, also could be an issue on the email client that with a specific issue on showing images could potentially inject code. – camp0 May 18 '19 at 20:28
  • 1
    Given that there is claimed to be hidden code inside the email involved, it could also be a HTML attachment (not inline) which on click gets stored and executed in the users context with full permission - and can execute JavaScript too. Such HTML attachment with Javascript are commonly found in credential-phishing mails. But these are all speculations. – Steffen Ullrich May 18 '19 at 20:30
  • 1
    This is **very likely** to be nothing more than IP tracking when the image is fetched. – forest May 19 '19 at 03:17
  • And "_Defense lawyers grew suspicious when the bald-eagle image did not load correctly on some email accounts_" is probably just that those email accounts/clients didn't have auto-loading of images enabled. – TripeHound Jun 05 '19 at 10:21
  • @TripeHound but if autoloading was disabled that wouldn't be suspicious, because that would be the normal behavior. Instead maybe the autoload image were blocked by some security filter and that is what made it stand out? – StayOnTarget Jun 05 '19 at 11:11
  • @DaveInCaz It _isn't_ suspicious (at least to anyone who knows how browsers work) but is probably sufficient for a crafty defense lawyer to use as a (false) basis to whip up "_ooh the military are doing something devious_" sentiment in a (probably) non-technical court and/or public. – TripeHound Jun 05 '19 at 11:18

2 Answers2

4

It's very common practice even by legit companies to track open success rates by placing a image link in the body of an email. Then if your email browser like outlook is configured to auto-load images in emails then it makes an HTTP request out to a website to load the image. That request will have a unique id in the url specific to you ... so now that web server hosting the image knows that you opened your email.

That is all done basically without any real hidden code ... just standard HTML in the body of an email.

If there was "hidden code" then perhaps things like scripts hidden in an SVG image or perhaps it was a different attachment type like .html or .js

neonprimetime security
  • 936
  • 4
  • 15
1

Complement to other answer with details.

This is a kind of Web tracking , possibly by making use of Web beacon by taking advantages of many email client simple HTML renderer.

The sender can embed an URL with an unique identification name inside the email as HTML code. e.g. 

<img src="http://www.example.com/id12345.jpg">

Since many email client will render HTML code automatically by default, the rendering process will send a request to fetch the image file. In which, the request will expose the user IP address and possible Email client (if the email client send a unique user-agent).

If you want to learn more, you can read this article on how HTTP handshake process works. You can actually observed this with most popular web browser developer mode.

mootmoot
  • 2,387
  • 10
  • 16