CSS a Mail Security Issue?

Reading some e-mail with the Horde Project’s [horde.org] webmail reader, I was surprised to see all of the CSS style statements from the header of an html e-mail message visible, instead of interpreted. A quick look at the source showed the following, interesting, header statement.

<cleaned_tag type=”text/css”>

What, you may ask, is a “cleaned_tag”? It appears that there is, to my eyes, an undocumented feature of the Horde webmail interface. Any heading tags that are related to “blatant security holes” [google.com] are cleaned by renaming them. Thus, <style> becomes <cleaned_tag>.

I was not able to find a post indicating “Why?” the <style> tag is considered a security hole, but I am still looking. The only thing I can find that appears to be related is a discussion of a HOTMAIL CSS issued. Hotmail Security Hole: False Alarm? [tnl.net] published back in February of 2001. In it, they state, “by using cascading style sheets (CSS), hackers could easily replicate the look and feel of Web-based mail packages, leaving the user unaware of the fact that they have a problem.”

All I know, is that I would expect such a “blatant security hole” to be more widely discussed.

Leave a Reply

XHTML: You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>