Not long ago, security researchers found they could take over old tweets that linked to links that don’t work anymore. Did you know you can do the same thing with email? To demonstrate this, we “Email Graffitied” an email sent to all YouTube users in 2020.
Take a look for yourself! It has the title: “Changes to YouTube’s Terms of Service”.
We’re also open sourcing a small script that can help you find emails that you too can take over the images for: https://github.com/trufflesecurity/EmailGraffiti
People often assume Email is static and unchanging, but that’s not true. Most major email providers will dynamically pull in fonts and images at the time of viewing the email from external locations. That means if you view an email today, it could look totally different looking at the same email tomorrow!
Email dynamically loading fonts and images
So how does this lead to vandalizing old Emails? Imagine a scenario where an image is loaded with the following HTML:
Try visiting the URL in a browser, but replace the bolded text with just a random set of characters. You’ll get the following error:
In cloud computing (GCP or AWS) you can store images in “buckets”, and these buckets have names that are shared globally across all customers. That means two customers of AWS or GCP can’t have the same bucket name. So what happens if you typo the name of the bucket you want to serve the image out of? Someone else can take that bucket name and serve their image in your email!
That’s the basic idea behind Email Graffiti. Whether the company typo’d the bucket and never owned it in the first place, or maybe they once owned it, but stopped paying for it at some point, in either case, anyone can just come in, register the bucket, and take over the email!
You can also do the same thing with domains that aren’t registered anymore, but we only explored buckets, we didn’t look for domains that could be registered.
Interestingly we found a lot of emails that were sent from businesses that don’t exist anymore, that had 100% of their images that could be taken over. This is because they likely deleted their entire cloud account, and so the further back in email you go, the more rot, and decay you might find.
Sticking GIF’s where JPEG’s go
You might be wondering, how did we make our email image animated? It turns out in Google Chrome, if your hyper link links to a .JPEG file extension, it actually doesn’t matter, if the web server returns a GIF and sets the content type to GIF, chrome will treat the image as a GIF!
This means any static JPEG email image that’s takeover-able can be replaced with an animated GIF! Cool, right?
Naturally we wanted to push this to it’s logical conclusion, so we found a full feature length film that was in the public domain, and converted it into a GIF. Did you know The Knight Of The Living Dead is in public domain? We didn’t either, but were happy to see it was.
Here it is in GIF format:
Unfortunately we ran into another problem, which is, Gmail specifically actually proxies all the images in your email through their mail client proxy, and will check ahead of time if images are more than 1000 frames. This limitation means we can’t play the Night Of The Living Dead in Gmail, but it does work with other mail providers!
Can this be abused?
We partnered with Material Security (they do a lot of email stuff) to look over a ton of email to identify when this problem occurs the most. They were able to identify a few instances of typos, but by far the more frequent scenario was resources that used to be owned that got given up in the past.
Because of this, the abuse use case is fairly limited (at least as far as we could think of potential abuse scenarios). Most emails get read in the first 12 hours of sending, so stomping over an old email, potentially years past, is probably unlikely to cause too many abuse avenues.
Honestly there’s not much to take away from this, other than the fact you can show your friends some cool graffiti art on some old emails. Because the emails are distributed so widely it’s almost like an NFT, but that’s actually easy to show it’s ownership. So have fun collecting buckets, maybe ask permission or shoot the company a heads up first (we let google know about the YouTube email)
Are you curious how appsec research like this is done? Checkout my hacking reenactment in the video below!