3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
When it comes to email clients, you have things like Outlook, which has been around forever, but if you're on Linux, there's a good chance you've heard about Evolution, even with its long history starting back in 2000. Some might call it the Outlook of Linux for being a complete open-source personal information manager, not just an email app, and for supporting protocols ranging from IMAP and POP to Microsoft Exchange.
One of the main reasons people choose Evolution is for its security controls. It offers privacy features like displaying emails as plain text, GPG encryption, and the well-known "Load Remote Content" option, which you can find in the security preferences. This setting is supposed to stop marketers and spammers from knowing you opened their email by blocking tracking pixels.
This trust might be misplaced. A system administrator from the UK by the name, Mike Cardwell has uncovered a serious flaw. According to him, if a malicious email contains an HTML tag like the following:
Evolution performs a DNS request for trackingcode.attackersdomain.example.com the second you open the message. This happens even with remote content disabled.
The sender can see that DNS request in their logs, revealing that you read their email and potentially leaking your location via your DNS resolver's IP address. This completely bypasses the privacy feature you thought was protecting you.
Cardwell filed a bug report, and the response was dismissive. The Evolution development team, when contacted about the report, blamed WebKitGTK, the web rendering engine the application uses. The team closed his ticket, linking it to another one from April 2024 about a similar tag, which can expose a user's IP address directly. That ticket points to a WebKit bug from August 2023, and nothing shows it will be fixed soon.
He even suggested a fix: Evolution could maintain a whitelist of safe HTML tags and just strip out sketchy ones before the email gets handed off to the browser engine. He argued this would be a solid defense-in-depth strategy, but this looks unlikely to be followed.
Cardwell is now advising users who value their privacy to ditch Evolution and switch to something else. His point is that the developers do not seem to consider this privacy leak their responsibility.
Because Evolution is the default client for GNOME, one of the most popular Linux desktop environments, it comes preinstalled on major distributions like Fedora, potentially affecting thousands of users without their knowledge.
Hope you enjoyed this news post.
News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864
RIP Matrix | Farewell my friend
- karman and Mutton
-
2
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.