Link preview provided as a feature by webmail/clients such as Outlook or IM like Telegram may cause unexpected behavior like unwanted account register confirming, automatic mailing list subscribing or even infinite password resetting through links with special functionality.
One morning, I opened OUR mailbox, and found an address validation letter with a confirming link lying there. Spam, I thought, as this email address is used as a official account, no one in our organizaiton would use it for personal account registration, but right before I close this mailbox, I was suddenly reminded of something.
The day before this morning, we happily tested a new functionality provided by the webmail of Outlook – Link Preview. Well since we are already modern now, with modern front-end and modern webpage, what’s wrong with link preview? This is what we all expected! This is how modern front-end should be like!
But wait, would link preview visit every link in this email? If it does, right after I opened this email, the validation would be done!
Even worse, I cannot check whether the validation is over since the registered account is not in my hand and I dare not click on that confirming link.
After some discussion within our org, we think that there may be some allow lists that prevent the preview of certain sites, but if the list is not a list of REGEX, when I register the account of popular platforms, the link would still be previewed.
So the registered account still hangs there, we do not know its status, and bad thing can be done with that account.
After I discovered this issue, I come to a broader concern on similar issues. And after posting this issue among my friends, more stories are collected and more exploits can be done.
One story is that one user of Telegram gmailbot received a validation letter one day, and after they opened that bot, the message of confirmation success was received right away. The mechanism of preview of Telegram is to preview every first link of one message unless the user cancels that.
Another story is that one user of one email provider used that email for some account registering, and one day they forgot their password. For that site, password reset are done by a special link sent to the email address associated with that account, but for the sake of security, the email provider checks every link in the email(common behavior of big providers, maybe), hence the password reset link would have been accessed once when the user sees the email, and the reset cannot be done successfully. Since this security check is a black box and unrevealed to that user, the user tried almost infinitely and asked the admin of that site to debug.
- When subscribing a mailing list on web, a confirmation letter would be sent, in some forms it asks you to reply to that email containing certain string, but mostly it shows you a validation link. This may be used for spamming hence DoS of one account; it can also be used for DoS of one mailing list as all subscribers are ‘valid’.
- When you upload a PGP public key to a keyserver like OpenPGP, it sends validation letter. Hence fake public key of one identity can be made with confirmation, and without revocation.
- As the last story above indicates, password reset can never be done, or done by the provider.
- When there are one-time special functional links(common behavior), and the provider/client automatically access that link in any form, there are unexpected behaviors.
It talks about information leaking and malicious payload, while I am from the perspective of the protocol itself.
Providers, don’t touch my thing.
Automation/Rules without turn-off options are bad.