.: Help Index
Effective Security thru Obscurity
In mail messages, images are blocked and the URL shown to members. This will not affect any replies or forwards of this message.
Reason? Images can be used maliciously with a XSRF (Cross Site Request Forgery) attack and can be targeted to members since the messaging system is a "one viewer only" system.
The image link can also be linked from the user's own computer, which will leave server logs on their computer of when you accessed the file, your IP, your browser, and your username.
While these are not all unsafe, watch for these images:
- Odd characters. Especially ampersands (&), percents (%), semi-colons (;), angle brackets (><), and quotes (' or ").
- Personally identifiable information in link such as your username, user ID, etc
- Dynamic URLs. These can be identified due to the URI at the end of the link. Example: http://www.youn00b.com/omghackz.php?targetuser=yourname&use=menu. Of course it will be different, but the .PHP, the ?, the =, and the & all indicate a dynamic URL.
- Site function URLs such as the logout url, etc.
If you see any of these warning signs, we reccomend that you do not open the images.
If you trust the user and/or the image, you can click the "click here" link to re-open the message and show the links.