I have a web application which sends a download link to subscribers. Subscribers are able to click the link from their inbox and get access to download a pdf document. It is fine but what I want is to allow the access to pdf document only when link is clicked from his inbox only. I mean if subscriber forwards this email to some one else or tries to paste the link in browser manually it should not work.
What you want is impossible.
Consider this situation: You email someone#example.com. They can view the email via:
a) Desktop mail client
b) Smartphone/tablet mail client
c) Webmail
All three will appear "different" to your server, depending on exactly which client they clicked on your link in. And if the user forwards the email to someone else, say otherperson#example.com, the EXACT same link will be in that person's mail file as well, and they can view it via the exact same options.
You MIGHT be able to extract a username or some other personally identifiable datum from the refer IF they used webmail and the webmail system is stupid enough to have webmail.example.com/readmail?userid=someone
But otherwise, no, you cannot assume anything about the incoming click, only that SOMEONE clicked on the link in SOME email.
There is no way to tell if a link was opened from an email client or if it was pasted into the address bar. There is no way to track if an email has been forwarded (webbug images in an HTML formatted email are blocked by most email clients).
If you want to limit who can download the file from your servers, then require that users login and then hope that none of them engage is password sharing.
Even that won't stop them redistributing the file directly.
Its not really possible to "protect" a link.
But if your web application require user to login, you can generate a unique link for each of your user, and require him to login before allowing download.
People will be less prone to share their login/password than a simple url.
I know this is an old question and I'm not sure why it was down-voted, but an idea occurred to me. If you put a common pixel tracker in your email with a token that identified the user and the email edition which, when requested, your server would note the time the email was opened and read (and successive reads). Then if the user clicks the link in the email, a token on the link identifies the same user and email edition. When the server receives this request it could compare it to the last time the matching tracking pixel was accessed. If the pixel was accessed within a few minutes before the link was requested, that implies that the email was opened and then the link was clicked.
If the user book marks the link and uses it the next day, there would be no recent tracking pixel history, which implies that the request was not from the inbox.
This would be easy to spoof, so it shouldn't be used for any kind of security concern. You wouldn't know if the email was forwarded to another person. Their email client would hit the tracking pixel as well.
Many email clients would block the pixel tracking for ever-increasing privacy concerns, so it isn't reliable.
If you're just looking for an indication of usage, this might work.
Related
I know you can have someone open their local email application (like 'mail.app' on mac or outlook on windows) and compose a new message with the following
window.location.href = "mailto:mail#domain.com";
I was wondering if it is possible to open the local email application without also composing a new message?
The use-case is, after registration, people need to check their email to confirm their account. I do not need them to send a message.
UX notes outside the scope of this question
I do not force a redirect, but rather I have a 'check my email' and 'skip' button after logging in. I have coded, that 'if the email contains gmail.com' to redirect to mail.google.com, but there is no way to exhaustively hard-code all possible email addresses and to which url they should be redirected? therefore if the email address is not any of the major ones, I would like to opt to open the user's local email client (without composing an email message) - if this is possible.
This isn't possible from a technical perspective. There's no mechanism provided for it via JavaScript. The browser simply doesn't have that kind of permission to open a desktop app, and nor should it.
It may open a mail client specifically using the "mailto:" protocol for the single purpose of pasting the email address from the mailto link into the user's default mail client. Similarly, other protocols may (optionally) be matched to certain applications (e.g. tel: to start a phone call) on the device, but again only a very specific action can be carried out. It's not possible to simply open any arbitrary desktop application with no specific purpose in mind, no mechanism exists for it.
I am working on an email that will be sent out as a marketing effort.
Within the email there will be a button that will allow people to "save the date" of the event and I want to be able to detect if the email was opened in gmail after the button is clicked, and if it was opened in gmail it would serve a Google Add to Calendar link - else it would serve an ICS file.
There is another email that does exactly this, it does not detect user agent since, regardless of the browser and os and device, if the email was opened in gmail it would redirect to google's add to calendar!
I've been trying to figure this out for a while now and have tried many trick, though none successful, I would love to see what other ideas people have.
Edit: I noticed that gmail will add data-saferedirecturl to all links
I'm wondering if there is a way to detect this?
If you to know the source of the click on your link, you can do so by using a trick with images:
Inside your mail, insert a tiny image pointing to your domain (Preferably with a different identifier for every recipient.
When user first opens your mail, the Gmail proxy server will send your server a request to get the picture.
You can identify the request coming from the Gmail proxy server using any of the indicative elements of the request (Like IP address, User-Agent and such).
Though, note that: If the recipient opens the mail again in Gmail, you won't see a request to your server, since this picture is saved in the proxy server's cache.
You cant pass javascript to mailreader.
But you can add Email Tracking Pixel.
I am working in Google Apps, and am trying to build a workflow app which emails people a link to approve/decline requests.
I know how to capture variables from a link, however I would like to be able to capture the email address of the person who clicks the link from their inbox. This will allow me to determine if a non-authorised person hits approve (e.g if the email is forwarded).
Is this possible? My guess is not, based on other posts.
What other method would you suggest in this circumstance? (e.g include a link to send an email, and capture information this way)
Many thanks for your guidance.
yew its possible but only if you can publish your script to run as the user. this will mean that:
any services you use must be able to run as the user, not as owner of the script (if not this can be worked arround using manual oauth2 or a 2nd worker script called from this one but its complex and out of the scope of this question)
the user will see an aproval screen the first time asking for permissions to such services and to view their email address.
the user must have a gmail/google apps email account.
with this, session.getActiveUser().getEmail() will give you the user's email address.
Suppose, I have 200 links and if the visitors visits continuously all the links then I want to offer a free pdf book
after last link but if someone directly visits last link then offer should not display.
In this case the user may visit the site per month or any long time to complete the tutorial site (this site) and the
user may delete the cookies so I should not use local storage or something like that.
So, I'm pulling an option with the users' ip address and if that ip's users completes the whole page visit the offer should be displayed.
So, how to decide if an ip address has viewed all the pages and if the user is at last link then display offer.
Does it have a login feature? If so I would track page views by url and userId.
The shortcoming of ip address is that different people using the same computer will count towards the same tracking. Also, you will not get credit if you visit the site from two different locations.
It is not possible to track the information with only the ip address. The IP address can change everytime the user reconnects to the internet e.g. reboot router. You will have to provide user login feature so you can associate the link visits with that user account.
The usual way to do this would be as follows using some server-side storage:
When a browser hits your server on any of the pages you are tracking, you see if there's already a tracking cookie in the browser. If not, you coin a unique ID for this browser and put it in a cookie that you set into that browser. Make sure the path allows visibility of the cookie anywhere on the site and set the expiration for however long you want.
In your server-side database, create an entry for this cookie ID and record that the page that was just hit has now been seen by this cookie ID.
On any subsequent page hit, get the cookie ID, look it up in the database, record that this page has now been viewed by that ID and check if all the required pages have now been viewed by that ID. If so, add the special offer to the delivery of the current page.
Using a cookied ID like this avoids issues with multiple browsers sharing a single IP address (which even happens on home networks and happens all the time on corporate networks).
If your site has a user login, it's even better to use the login ID as the user identifier because that allows you to accumulate the browsing history of the user even if they use multiple browsers/multiple computers as long as they login first.
FYI, some of the logic above can also be implemented via ajax calls made from the client upon each page load rather than work done at the time of serving the page - though this adds an extra server request for each page.
Is it possible to access cookies from an email? My fear is that one can for instance steal facebook login cookies simply by sending an email.
I know it's possible to redirect a user to an url without him to be aware of it. For instance, I used to display a 1x1 gif to redirect the user to a url (I used that to make email opening stats). What if on the target url I create a malicious js script: will I be able to access the user's cookies?
Or to put it differently, if there is a link in the email and the user clicks the link, is the target website able to access user's cookies?
I read this; does anyone have more details on the subject?
#user3345621
Thanks for your answer, it seems correct to me.
But to take on the facebook example again, I have a couple more questions:
I may be wrong, but I think the cookie encryption does not help in this case.
The cookie encryption will help to hide the password in case for instance I access
your local machine and look in the cookies directly.
However, if I steel the encrypted cookie, I will be able to use them,
and let facebook do the uncryption work.
So in other words, I think it does not matter whether or not cookies are encrypted,
as long as the application (facebook in this example) will decode them for you.
Now, same remark about the fact that the cookie is recreated.
I think this is a direct consequence of using session_regenerate_id function.
But anyway, my understanding (which may be wrong) is that even if the cookie is recreated,
if the hacker send you a malicious email, he will get the newest version of the cookies
anyway since in the technique I'm describing, you're redirected to a malicious website,
so that website, when opening would have access to the current cookies (if possible).
?
I might be incorrect, since I'm fairly new to application security.
Here goes my best shot, concerning cookies now:
Cookies are domain specific (FACT), when you have a facebook cookie storing your user ID and your email (perhaps?) only the facebook domain has access to that cookie. Also, in most cases, the information in your cookie, especially in enterprise systems such as facebook, is encrypted, in other cases a hash is used to mask the information (Sort of fact).
So let's take facebook as an example, since they use a strong encryption format (FACT). If for instance you were able to get hold of a users facebook cookie, you would need to de-crypt the information to start off with, for it to be of any use to you. By that time a new cookie would have been generated (darn facebook adddicts).
Onto the security issue, if by some means you were able to get hold of a users cookie that does NOT belong to your domain, it would be a hack (do'h!), and you would need to check for any browser (Yes you should be exploiting the browser), that has such an exploit, or look for one yourself..
So here they are:
Browser Exploit, hack a specific browser.
De-crypt (or de-hash) the cookie, if it's encrypted.
And do this all be for the cookie has expired.
And the world is yours.
I tried to send me an email with the following image:
<img src="http://localwebsite/js.php" />
On my local machine, I created a page at this url:
http://localwebsite/js.php
Which would alert("something") using javascript.
Sending the email to myself,
I expected that the mail client would open a web browser page and open the js popup,
but that's not the case at all.
What happened is that since it's not really an image,
my mail client (using mail on mac) did display a blue square exclamation mark,
indicating that he could not display that image.
Even if I click on "load images".
Then nothing more happens:
I presume the mail client goes to the url and tries to display the expected image in the message,
but since there is no image, nothing changes.
The url wasn't open in the browser at all, everything was done in the background.
Reading more about javascript in emails, it seems that generally, javascript is not interpreted at all
in emails.
I tested that too: sending an email containing:
<script type="application/javascript">alert("pou")</script>
Mail (mac) does not execute the script.
So to answer the question,
I believe that the only thing a hacker can do with mail is:
sending a link, then if you click on that link, anything can happen
create an image that he can use to track whether or not you've opened the mail
So if you're cautious enough, mail are'nt a big threat.
I was paranoid…