![[ t ]](/images/structural/icon_twitter.gif){kind=icon}
Outlook Web Access Privacy Hole
Here’s something a little scary for anyone who uses Outlook Web Access. Watch out for the links you click in emails, because your browser may send a whole lot of information about you in the HTTP Referer header.
Browsing through my log files the other day, I found this as one of my referers (all specific information changed to protect the innocent):
https://www.jtllearningsystems.com/exchange/MariaDumond/Inbox/Check%20this%20out.EML
This is the referer that results from clicking on a link displayed in Outlook Web Access. It’s the URL from one of the message pop-up windows. You don’t usually see it because when you open a message, the address line is surpressed in the pop-up. Next time, open a message, right-click on the page, and click “View Page Info” (Mozilla / Firebird) or “Properties” (IE).
From one line in a log file, I have the name of the user and the name of her company. I typed in the domain name, and I got a Web site for the company, with helpful contact information listing a city and state.
Using that information, a Google search turned up her email address, home address, and home telephone number. Within about 60 seconds , I knew where she worked, where she lived, and how to email, postal mail, and telephone her.
Based on my knowledge, there’s no way to protect against this. The browser doesn’t know that it’s exposing a privacy hole by sending the URL of the referring page. The browser doesn’t even know it’s using Outlook Web Access. It could be at CNN for all it knows — browsers just blindly pass along URLs, since there’s rarely any identifying information in them.
I know of no browser which you can configure to not send an HTTP Referer header, though this would be a handy feature.
In the end, this brings up a good point for secure coding: never embed any identifying information in a URL thinking the user will be the only one who ever sees it. Browsers will blissfully pass along those URLs without telling you about it.
What Links Here
It's Time for URL-Specific Browser Settings
Here's what I'd like to see for upcoming browsers: customized browser settings on a URL-by-URL basis. I think it's time to admit that different sites sometimes require vastly different browser settings to work optimally. For instance, I visit some sites that scroll horizontally. To see them completely, I need…
HTTP Referer Protection via Firewall
Outpost Firewall: This personal firewall blocks outgoing HTTP referrers, which we've discussed before as being a potential security hole. Webmasters just see this in their referrer logs: Field blocked by Outpost (http://www.agnitum.com) It must have to parse the text of the HTTP request and manually modify the line which includes the…
Preventing Image Leeching
Smarter Image Hotlinking Prevention: Here's a great antidote for hotlinkers — people who embed images from YOUR Web site in their page (so they get the image at your bandwidth expense). This system will prevent images from loading in pages not on your site. These fixes aren't uncommon, but this…
HTTP Referer Security Considerations
HTTP/1.1: Security Considerations: Regarding my earlier post about the Outlook Web Access privacy issue, here's what I found about HTTP Referer headers in the HTTP 1.1 spec (RFC 2616): Because the source of a link might be private information or might reveal an otherwise private information source, it is strongly recommended…
Comments
Based on my reading of the HTTP spec, this seems to be a browser error. That was a secure URL (https://), so the Referer should not have been transmitted, yet it was.
I took a look back in my logs and found that she was using:
"Mozilla/4.0 (compatible; MSIE 5.22; Mac_PowerPC)"
IE 5.22 on a Mac. Could this be a security hole in that version of the browser?
I did a quick query on my database to see how many referrers come from "https" domains, and this was the only one. More evidence that this is a browser bug.
A bug in IE. I'm shocked. I'll test it for you on Safari later and you can check your logs to see if anything shows up.
Got it listed in BugTraq:
Grepping through my logfiles I've found the following browser signatures with https referers:
"Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; AGENTOR 1.1)" "Mozilla/4.75 [en] (X11; U; SunOS 5.8 sun4u)" "Mozilla/4.79 [en] (X11; U; Linux 2.4.18-24.7.x i686)" "Mozilla/4.8 [en] (X11; U; Linux 2.4.20-4GB-athlon i686)" "Mozilla/5.0 (compatible; Konqueror/3; Linux)" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; de-de) AppleWebKit/85 (KHTML, like Gecko) Safari/85" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/103u (KHTML, like Gecko) Safari/100.1" "Wget/1.8.2"
Maybe the problem is more widespread than thought...
Well, crap, maybe this is just a bunch of vendors ignoring the spec? That doesn't actually happen, does it? I'm disappointed to find Mozilla browsers in there.
And there I thought I had found an actually bug. Bummer.
This is somewhat an older issue. I've found a posting to Bugtraq about mozilla disclosing information. http://archives.neohapsis.com/archives/bugtraq/2002-09/0109.html
I was nog aware that IE was also vulnerable to this issue. Anyone tested with other IE versions than 5.5 for Mac?
As I once mentioned on my own site (http://jasewells.com/archive/post/121), the problem could be mitigated if systems like Exchange Webmail didn't include so much personal information in their URLs. When browsers screw up and provide the referrer URL to the target site, not only does it reveal the HTTPS referrer, but you know the person's name/login, the mailbox they were reading, and the subject line of the message. Better architecture of the webmail URL (i.e., using UIDs instead of mailbox names and subject lines) would at least hide some personally identifying information.
Hello folks. In response to the comment in the intial post: "I know of no browser which you can configure to not send an HTTP Referer header, though this would be a handy feature."
In fact, with Mozilla-based browsers this is quite trivial. Open the URL about:config and search for "network.http.sendRefererHeader" -- that can bet set to 0, 1, or 2: 2 - default, send referer for all requests 1 - do not send referrer for images 0 - do not send referrer for anything I've just confirmed with FireBird v0.7 that the above settings function as stated.
Additionally, according to Syamtec Docs, the Norton Internet Security and Norton Personal Firewall software products can supress referer as part of the privacy functionality. That should work for any browser, I presume. I have not confirmed this though.
I just confirmed that this works perfectly. Thanks for the tip. I'll post this as a new item later. It's something that people should know about.
I just checked the preferences for the iCab 2.9.5 browser (Mac only) and it did have an option to control the referer function to "always", "never" or "only within same domain." The setting is under "Network" > "HTTP/DNS"
"I know of no browser which you can configure to not send an HTTP Referer header, though this would be a handy feature."
Opera can also do this. Just press F12 and it opens a "context" menu where your mouse is. In that menu you can choose many things such as JavaScipt,Cookies etc. there IS also a option named "Enable referer logging". You can turn that on an off using that option.
That is also very quick to change when you get used to it. I use it often when I'm browsing with Opera.
Add Comment
- Google Image Labeler by Anonymous, 1 minute ago
- The 12-Year-Old Spy by alex, 1 hour, 28 minutes ago
- How many supertankers does it take to supply the U.S. with oil for a single day? by julsy, 5 hours, 13 minutes ago
- miniBB: Simple BBS by test, 7 hours, 5 minutes ago
- Cancel Google by Asuncion m. Austria, 7 hours, 15 minutes ago
- Show 5 more »
- Rock Band Review by Deane in 2007
- Line Rider by Deane in 2006
- The 10 Types of Blog Posts by Deane in 2005
- LidRock by Deane in 2004
- Are you suggesting coconuts migrate? by Rob in 2003
- Show 0 more »