When you are reading an email at the privacy of your home and nobody is gazing over your shoulders, no one knows what you are doing. Right?
Unfortunately, this could be wrong. Especially if you are reading Feature rich, pretty HTML emails. Feature-rich email is not only a powerful way of communication, but also a major security threat.
There are many reasons why HTML email is a security risk, some of which are summarised below:
- Invisible images that monitor recipients and transmit information about them.
- Monitoring the path of a confidential e-mail messages.
- Silent capture of valid email addresses for use by spammers.
- Executing arbitrary code from email using backdoors in MS Office.
- Abusing bugs in mail clients to execute programs attached to emails.
- Using ActiveX scripts in html email to steal private local files.
- Execution of malicious java applets.
- Distribution of malicious worms that infect recipients’ machines.
In general, usage of HTML in mail will make you more vulnerable to spam and may increase the likelihood that your system will be compromised by other present and anticipated security exploits.
Viewing emails without rendering HTML formatted content can be a simple, easy, and effective security technique. Never allow an e-mail client to fully render HTML or XHTML e-mails without careful thought even if it is from a trusted sender. Best option is to configure your email client to render only plain text. Of course you will miss the beautifully formatted emails. But you have to go through that pain if you want security. At the absolute most, if you have a mail client such as Microsoft Outlook or Mozilla Thunderbird that can render HTML e-mails, you should configure it to render only simplified HTML rather than rich HTML or “Original HTML” as some clients label the option.
When rendering HTML, you run the risk of identifying yourself as a valid recipient of spam or getting successfully phished by some malicious security cracker or identity thief. My personal preference is, in fact, to use a mail user agent that is normally incapable of rendering HTML e-mail at all, showing everything as plain text instead.
So, next time think twice before you decide to use emails with HTML content!