Roundcube Webmail: SVG feImage bypasses image blocking to track email opens

https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/

46•nullcathedral•1h ago

Comments

Galanwe•1h ago

Nice catch!

I am trying to read as less _online_ as possible nowadays. I essentially have dovecot in my crontab, and read it off roundcube. It's been working great, RoundCube is dead simple to setup and use, the UI and search are very fast.

stragies•59m ago

Hmm, I wonder, if roundcube was the exception (w.r.t feImage), or if soon other webmail clients will need to be patched

nullcathedral•39m ago

Author here! I have looked at Thunderbird. I'll go and look at some others as well, should have probably done that earlier.

zimpenfish•20m ago

I wouldn't vouch 100% for my PHP understanding but it looks like SnappyMail removes `<svg>` elements entirely (`BuildHtml` in `snappymail/v/2.38.2/app/libraries/MailSo/Base/HtmlUtils.php`)

smelendez•44m ago

I often think the best way to defeat email open tracking would be for a mainstream email client to prefetch every image when a non-spam email is received and cache it for 72 hours or so.

Every email gets flagged as “opened,” so the flag is meaningless, and recipients can see the images without triggering a tracker.

mmh0000•41m ago

Some of the big providers already do this, notably Apple and Gmail:

https://www.litmus.com/blog/gmail-prefetching-images

Saris•39m ago

I think this is what icloud does. Seems like an easy way to make tracking useless if every client did it.

mzi•4m ago

I worked for a short time for an American company. They had periodic phishing test from Mitnick. The links in those emails was not to be clicked as it would trigger a mandatory training. The emails also had a header saying they were a phishing test, so I deleted all those emails in a filter.

The company also ran a mail filter called Baracuda or something similar that followed links in emails to see if they were malicious.

I was quite annoyed when I was called to do the mandatory training as "I" had clicked a link (on an email I hadn't seen) and more so when told I had no other recourse than to sit through it.

I resigned shortly afterwards.

jonathanlydall•43m ago

Slightly related, but fraudsters love using .svg attachments, typically the mails purport to be for an invoice which you need to log into your Microsoft account to be able to “securely” view.

I’m not sure if Exchange Online doesn’t scan them or something, but I landed up making a rule which blocks all emails with either .svg or .htm(l) attachments and to notify me when blocked.

Happens a couple of times per month for the our small company, no false positives yet.

michaelteter•23m ago

Not disputing the article, nor insinuating that there's some ulterior motive, but it's curious that this blog has only one post; and the About page suggests a lengthier history (with references to what would have been previous posts).

nullcathedral•4m ago

Author here! Are you referring to the "What’s inside this vendor’s VMware images?" on the about page? That is merely an illustration of what goes on inside my head. This is the first article on my blog.

Avamander•2m ago

SVGs are just the tip of the iceberg of how hard it is to sanitize email content. There aren't any purpose-built good libraries for email sanitization either. That would handle SVG, CSS, HTML, everything.

Corporations Don't Have to Maximize Profits (2015)

Betteridge's Law of Headlines

The Gradual Print Is Here

EU AI Act: Practical Risk Classification for Business AI Use Cases

Show HN: We audited AI agent configs on GitHub. Every one had security issues

Hacker News in Your Terminal

Ask HN: What to do instead of giving up on tech

Show HN: PLP – An open protocol for managing AI prompts (3 REST endpoints, MIT)

Show HN: Calculator for UK student loan repayment strategies

Context Fence Design Pattern for Claude Code Skills

Intel Recently Shelved Numerous Open-Source Projects

Catching Fire: How Cooking Made Us Human (2009) [pdf]

A Newbie's First Contribution to (Rust for) Linux

Ask HN: How are you enabling your company to vibe-code?

Multi-Layered Counter-UAS Defense: Portable, Mobile, and Fixed

Is artificial general intelligence here?

Show HN: Sofia Core – Open-source AI infrastructure with biological computing

Ask HN: How do you maintain integrations once they're in production?

"Infinite Jest" Has Turned Thirty. Have We Forgotten How to Read It?

Show HN: SubAnalyzer subdomain discovery and external attack surface map tool

31-year old VT220 terminfo curses bug

Interlock (Engineering)

Master of Science in Applied Ontology (Fully Online)

Creating a Programming Language Using Coding Agents on GitHub

Hollywood Is Losing Audiences to AI Fatigue

SOK: On the Analysis of Web Browser Security (2021)

An Analysis of Poptropica's Mancala

Why Improving VO₂ Max Increases Confidence Outside of Workouts

Show HN: Nick the Groq – AI Poker Coach- Open Source

DSA Interview Preparation Guide: Complete 90-Day Roadmap