frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Roundcube Webmail: SVG feImage bypasses image blocking to track email opens

https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/
52•nullcathedral•2h ago

Comments

Galanwe•1h ago
Nice catch!

I am trying to read as less _online_ as possible nowadays. I essentially have dovecot in my crontab, and read it off roundcube. It's been working great, RoundCube is dead simple to setup and use, the UI and search are very fast.

stragies•1h ago
Hmm, I wonder, if roundcube was the exception (w.r.t feImage), or if soon other webmail clients will need to be patched
nullcathedral•51m ago
Author here! I have looked at Thunderbird. I'll go and look at some others as well, should have probably done that earlier.
zimpenfish•32m ago
I wouldn't vouch 100% for my PHP understanding but it looks like SnappyMail removes `<svg>` elements entirely (`BuildHtml` in `snappymail/v/2.38.2/app/libraries/MailSo/Base/HtmlUtils.php`)
smelendez•56m ago
I often think the best way to defeat email open tracking would be for a mainstream email client to prefetch every image when a non-spam email is received and cache it for 72 hours or so.

Every email gets flagged as “opened,” so the flag is meaningless, and recipients can see the images without triggering a tracker.

mmh0000•54m ago
Some of the big providers already do this, notably Apple and Gmail:

https://www.litmus.com/blog/gmail-prefetching-images

Saris•51m ago
I think this is what icloud does. Seems like an easy way to make tracking useless if every client did it.
mzi•16m ago
I worked for a short time for an American company. They had periodic phishing test from Mitnick. The links in those emails was not to be clicked as it would trigger a mandatory training. The emails also had a header saying they were a phishing test, so I deleted all those emails in a filter.

The company also ran a mail filter called Baracuda or something similar that followed links in emails to see if they were malicious.

I was quite annoyed when I was called to do the mandatory training as "I" had clicked a link (on an email I hadn't seen) and more so when told I had no other recourse than to sit through it.

I resigned shortly afterwards.

jonathanlydall•55m ago
Slightly related, but fraudsters love using .svg attachments, typically the mails purport to be for an invoice which you need to log into your Microsoft account to be able to “securely” view.

I’m not sure if Exchange Online doesn’t scan them or something, but I landed up making a rule which blocks all emails with either .svg or .htm(l) attachments and to notify me when blocked.

Happens a couple of times per month for the our small company, no false positives yet.

michaelteter•35m ago
Not disputing the article, nor insinuating that there's some ulterior motive, but it's curious that this blog has only one post; and the About page suggests a lengthier history (with references to what would have been previous posts).
nullcathedral•16m ago
Author here! Are you referring to the "What’s inside this vendor’s VMware images?" on the about page? That is merely an illustration of what goes on inside my head. This is the first article on my blog.
Avamander•14m ago
SVGs are just the tip of the iceberg of how hard it is to sanitize email content. There aren't any purpose-built good libraries for email sanitization either. Something that would handle SVG, CSS, HTML, everything.

Vouch

https://github.com/mitchellh/vouch
294•chwtutha•17h ago•130 comments

I put a real-time 3D shader on the Game Boy Color

https://blog.otterstack.com/posts/202512-gbshader/
162•adunk•3h ago•13 comments

Roundcube Webmail: SVG feImage bypasses image blocking to track email opens

https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/
52•nullcathedral•2h ago•12 comments

The Little Bool of Doom (2025)

https://blog.svgames.pl/article/the-little-bool-of-doom
42•pocksuppet•2h ago•10 comments

Show HN: I created a Mars colony RPG based on Kim Stanley Robinson's Mars books

https://underhillgame.com/
64•ariaalam•3h ago•26 comments

RFC 3092 – Etymology of "Foo" (2001)

https://datatracker.ietf.org/doc/html/rfc3092
97•ipnon•5h ago•18 comments

Running Your Own As: BGP on FreeBSD with FRR, GRE Tunnels, and Policy Routing

https://blog.hofstede.it/running-your-own-as-bgp-on-freebsd-with-frr-gre-tunnels-and-policy-routing/
96•todsacerdoti•6h ago•41 comments

Exploiting signed bootloaders to circumvent UEFI Secure Boot

https://habr.com/en/articles/446238/
60•todsacerdoti•5h ago•30 comments

GitHub Agentic Workflows

https://github.github.io/gh-aw/
137•mooreds•6h ago•73 comments

Omega-3 is inversely related to risk of early-onset dementia

https://pubmed.ncbi.nlm.nih.gov/41506004/
153•brandonb•3h ago•85 comments

Formally Verifying PBS Kids with Lean4

https://www.shadaj.me/writing/cyberchase-lean
45•shadaj•6d ago•2 comments

Bun v1.3.9

https://bun.com/blog/bun-v1.3.9
75•tosh•2h ago•19 comments

Dave Farber has died

https://lists.nanog.org/archives/list/nanog@lists.nanog.org/thread/TSNPJVFH4DKLINIKSMRIIVNHDG5XKJCM/
168•vitplister•8h ago•23 comments

Curating a Show on My Ineffable Mother, Ursula K. Le Guin

https://hyperallergic.com/curating-a-show-on-my-ineffable-mother-ursula-k-le-guin/
123•bryanrasmussen•10h ago•41 comments

Billing can be bypassed using a combo of subagents with an agent definition

https://github.com/microsoft/vscode/issues/292452
141•napolux•3h ago•72 comments

Experts Have World Models. LLMs Have Word Models

https://www.latent.space/p/adversarial-reasoning
14•aaronng91•2h ago•11 comments

Let's compile Quake like it's 1997

https://fabiensanglard.net/compile_like_1997/index.html
78•birdculture•3h ago•23 comments

Show HN: It took 4 years to sell my startup. I wrote a book about it

https://derekyan.com/ma-book/
147•zhyan7109•4d ago•40 comments

Kolakoski Sequence

https://en.wikipedia.org/wiki/Kolakoski_sequence
52•surprisetalk•6d ago•11 comments

OpenClaw is changing my life

https://reorx.com/blog/openclaw-is-changing-my-life/
152•novoreorx•14h ago•256 comments

Why E cores make Apple silicon fast

https://eclecticlight.co/2026/02/08/last-week-on-my-mac-why-e-cores-make-apple-silicon-fast/
188•ingve•8h ago•195 comments

Reverse Engineering Raiders of the Lost Ark for the Atari 2600

https://github.com/joshuanwalker/Raiders2600
76•pacod•11h ago•2 comments

A Community-Curated Nancy Drew Collection

https://blog.openlibrary.org/2026/01/30/a-community-curated-nancy-drew-collection/
4•sohkamyung•5d ago•1 comments

Matchlock – Secures AI agent workloads with a Linux-based sandbox

https://github.com/jingkaihe/matchlock
125•jingkai_he•12h ago•51 comments

Slop Terrifies Me

https://ezhik.jp/ai-slop-terrifies-me/
283•Ezhik•9h ago•253 comments

The First Sodium-Ion Battery EV Is a Winter Range Monster

https://insideevs.com/news/786509/catl-changan-worlds-first-sodium-ion-battery-ev/
87•andrewjneumann•3h ago•80 comments

Show HN: LocalGPT – A local-first AI assistant in Rust with persistent memory

https://github.com/localgpt-app/localgpt
305•yi_wang•18h ago•143 comments

Beyond agentic coding

https://haskellforall.com/2026/02/beyond-agentic-coding
226•RebelPotato•18h ago•84 comments

We mourn our craft

https://nolanlawson.com/2026/02/07/we-mourn-our-craft/
633•ColinWright•1d ago•736 comments

Do Markets Believe in Transformative AI?

https://marginalrevolution.com/marginalrevolution/2025/09/do-markets-believe-in-transformative-ai...
9•surprisetalk•5h ago•1 comments