I emailed a potential client yesterday who replied that she couldn’t read my email as it had crashed her email client. She also said that the email was huge. I had sent the email using Zoho CRM and when I checked it, it looked fine. Only a few lines long. So I sent myself a test message which also looked fine.
Then I did view-source on the message. Holy Crap. Hundreds of lines of HTML with ads inserted all over it. Now wonder her email crashed.
The bit that had me really worried was the I sent it from an Ubuntu machine which “shouldn’t” suffer from such exploits.
I went into Zoho and couldn’t see where it could have happened. Then I had the aha moment (no, not Morten) and checked my Signature setting. Damn it looked fine. Wait, try view-source again. All the bastard HTML there in all it’s glory.
I was able to reliably replicate the problem. Paste text signature in Zoho field, save, re-open, view-source, see spam.
I then tried it on Firefox. It didn’t have the problem. Weird.
Then Windows 7. Chrome – bad. Firefox – good. And in a shocker, IE8 – good.
WTF?
So I went over to a netbook which I booted up with a clean Ubuntu USB stick and installed Chrome. And all was well, no problem. WTF x2?
OK, so what is common amongst two machines but not a third, despite operating system differences? Aha, the browser extensions. Luckily I only have 3 installed so it was easy to test.
First I uninstalled AdBlock which I run mainly to block Flash ads since they cripple the CPU on netbooks and Ubuntu boxes.
Job done! Problem gone.
This is very very very serious. Something you install to block ads ends up causing the mailing of spam ads to your customers. Very very serious indeed.
I have reported it to Zoho in case they can block the problem at their end and ditto to the AdBlock people since it is more likely to be an exploit of them rather than dodgy behaviour. Here is a screen shot of some of what it was inserting:
Hoooooly hell. Lucky me, I haven’t installed AdBlock on my Ubuntu/XP Chrome. (I prefer Firefox anyway, but that’s irrelevant.) This is a massive massive hole and I can only hope it is plugged forthwith. Well done for finding it.
That looks like a filterlist from Adblock, rather than an injection of HTML (altogether more serious). Is that the case? Or could you see ad images, rendered by your mail client? If you grep some of the screenshot above within your ~/.config/google-chrome/Default/Extensions/ folder, you’ll see the block list.Of course, the block list shouldn’t be pasted, no matter what, but that’s not remotely as scary as random ad images being injected, if that’s the case!
@PROGRAM_IX – I have AdBlock on Firefox too and it doesn’t happen. Uninstalling it just in case.@cgarvery – I wondered that too but the visibility:hidden bit is what makes me think it is an exploit. Ads are not visible in the email, just tacked on invisibly with no obvious “attachment”. My main concern was that it could have lost us a potential client (and they are huge!).
@Conor: That is odd. It’s not so much this one hole that’s scary; it’s that if there’s this one…
The AdBlock guys have been working on this. They have confirmed that it isn’t an advertiser — it’s just adblock messing up. As a workaround until they can address it, people can disable adblock on the relevant domains by pressing Ctrl-Shift-L on the page, or by adding the domain under AdBlock Options – > Excluded Sites.Ticket here: http://code.google.com/p/adblockforchrome/issues/detail?id=2846