Opening an Email = Pwned (default image loading on Apple products)

iPhones, iPads, and Macs (presumably only) apparently load images by default.

A researcher found several routers can be configured just through POST and GET requests.

Most people don’t change their default router password.

Therefore, all the researcher had to do was embed a 1×1 image in the email, whose src=”” link was a specially crafted URL that would reconfigure the router. To, say, re-route the target’s DNS servers to the attackers’.


Solution: Re-route the iPhone and iPad to Craigslist. Then disable image loading by default in your email clients! You should have done this long ago if it was even necessary, but this is as good a reason as any to check. (There are /tons/ of ways to exploit this, this is just a uniquely nasty one. The technique is used widely by marketers to try and see who opens their emails… which suggests someone ought to write a spam-scanning plugin that GETs the URLs of all 1×1 pixel embedded images with “Vlad the Impaler” as its user-agent field.)

“The attack leverages two unrelated instances of insecurity. The first is a functionality in Apple products that loads images from remote servers by default in emails. The other vulnerability is the reality that most Internet users are either completely unaware that they can change their default router password, know they can but choose not to change it anyway, or change it to a weak password. Of course, once you enter a router’s settings interface you can make all sorts of changes.

So what? How is email image loading connected to router configurations? Well, Calin realized that the router models he tested in his attack accepted configuration parameters through POST and GET requests. He exploited this by changing the POST parameters to GET parameters and sending off an email in which he embedded an invisible, one by one pixel image of the router’s configuration URL in the background of an email, concealed by a video or some other image, which would then be automatically uploaded. He increased the chances of his attack succeeding by hiding a number of iframes in the invisible image with default and commonly used username-password combinations.

When the victim opens the email, they don’t need to click anything for the exploit to work. Just opening the email changes the victim’s router’s DNS servers to an IP address of Calin’s choosing.

Calin successfully tested the attack on his Asus RT-N16 and N56U routers and later updated his report to reflect that the attack seemed to be working against TP-Link routers as well, specifically the TL-WR841N model, but he writes that it is possible that the attack could work against other makes and models as well, particularly those that accept configuration changes from GET parameters and don’t have built in cross-site request forgery protections.

Users can mitigate against this attack altogether by altering their settings so that images aren’t automatically uploaded when users open an email, which, as Calin notes, is the recommended best-practice by most security experts anyway.”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: