Security Check: Can Chrome Email Tracking Extensions Store Your Private Emails?

My name is Vadym, I am from Anti-Malware Lab (former Kromtech Security Center). Our research project focused on monitoring digital risks and privacy violations. Here’re our recent research findings. If you have questions, concerns or ideas to update it—please, comment here or contact me.

TL;DR

If you were wondering whether you can rely on the privacy email trackers in Chrome, the short answer is: Not really. Two of the three most popular email tracking extensions we analyzed are receiving content from the body of your email even if this is not necessary.

The Long [detailed] Answer

You have to watch your back in extension stores. This is especially true in Chrome with the almost 60 percent market share that makes the browser a nice piece of pie for cybercriminals. Google says that 70 percent of the malicious extensions are blocked, but a steady stream of recent research findings show that the problem is far from resolved.

I want to emphasize that extensions shouldn’t be malicious to be dangerous. The collection of unnecessary (for extension work) user data could potentially lead to problems on par with malware cases.

Based on feedback from some of our users, we decided to analyse three popular free mail trackers — Yesware, Mailtrack, and Docsify. Each of them allows tracking email open and reply rates, link clicks, attachment opens, and presentation pageviews as well as allowing copies of important emails to be sent directly to your CRM automatically.

We looked at the permissions that each extension requests, the actual data from your email that goes to the extensions’ hosts, and how this is all shown in the Privacy Policy. Here’s a breakdown of what we found.

The Permissions You Give

Installing Yesware is accompanied with the standard permissions it requires. The most nefarious looking request is to “Read and change all your data on [all] websites you visit.”

Usually, such extensions only require this level of permission on a specific website. For example, the official Google Mail Checker (email tracking for Gmail) asks to “Read and change your data on all google.com sites.”

As far as I can tell, the extension developers decided to ask for “unlimited” permission instead of bothering you with an extended list of websites where their extension is going to interact. However, you need to understand that in accepting this you are giving Yesware much more accessibility than it needs for its actual work.

Interestingly, we noticed that after confirming the permissions for the extension, you then have to confirm other permissions — for the app.

It’s important to know that permissions that present like the screenshot above are related to the app, not the extension.

What does it mean? Essentially, if you decide to delete the extension, the app will still have an access to your data.

Similarly, Docsify asks permission to read and change all your data on the websites you visit. Permissions are required by the application as well.

Mailtrack, in contrast to the first example, doesn’t ask users to access to all websites, only email-related websites.

These permissions are standard for this type of extension — to read, send, delete, and manage the emails.

The Email Data They Get

The most interesting part of our investigation came from analyzing the email content which every extension collects and processes. At this stage, we used Burp, a tool for testing Web application security. Its proxy server tool allows us to inspect the raw data passing in both directions — in our case, from sender to extension data storage.

Yesware Email Data Collection

The Yesware Privacy Policy and Terms of Use don’t include information regarding storage of the data from your email. However, our research shows that the app does manage email data storage.

To be clear, we tested the free version of Yesware without CRM integration. After composing and sending an email, we checked the host app.yesware.com in Burp to find the data from the email message that was sent there.

Our sample email with tracking features turned on in Yesware.

It’s easy to notice that our email body went to the Yesware host. In other words, the extension collected and processed the entire content of this personal email.

It’s easy to notice that our mail body went to the Yesware host. In other words, the extension collected and processed the entire content of this personal email.

The data we found with Burp.

Surprisingly and importantly, when we deselected the Track and CRM checkboxes in order to stop tracking any activity related to your emails — the situation remained the same.

The content of the second email with tracking features off.

The Yesware sent the body of an email even in this case.

The Burp analysis of the second case.

We determined that only by turning off all the features in the extension preferences helped. In this case no data was sent to host.

In order to get an explanation for all this, we sent an email to Yesware support. The first email to [email protected]. (12 October 2018) you can find below.

Dear Yesware Security Team

My name is Vadym, I am security researcher with Kromtech Alliance Corp. (

https://kromtech.com/) We are product developer company, with malware analysis as one of our activities. During the recent research our team discovered, that “Yesware Email Tracking” Chrome extension sends an e-mail body to domain app.yesware.com even if user turned tracking off.

As e-mails are considered personal information, you should inform your clients about the fact of collecting and processing of such data, and get their consent to do so. You should also describe this in privacy policy and provide information about:

1. What is the purpose of the collection of personal information?

2. Where are you using this information?

3. Where are this information being stored?

4. How users can prevent themselves from data collection?

We hope you can provide us with reasonable explanation of such malicious behavior of your browser extension, as we are going to make a publication about this case and would like to include your commentary in it.

You can use my business email for communication: [email protected]

Best regards.

Vadym Lysenko

Security Researcher at Kromtech

In the end, we sent three emails. The second resulted in a sender suspension.

However, the third one, sent from another account, was answered. Here is the response:

Hello Vadym,

Thank you for reaching out! My colleague, Simone, had responded to your previous email with the following message:

Yesware is an analytics platform that allows users to gain insights into the activity of their emails. We do ask for users for permissions during the OAuth process to access their inboxes and emails to allow Yesware to collect metadata so our customers can know how well their emails are engaging with their clients.

The answers to your questions can be found on our Security Overview Page (

https://www.yesware.com/security/), specifically under “Data We Collect” to get more information regarding this as this shows not only the data we collect but how Yesware utilizes such data for our customers. On this same page, you can also see our current security certifications as well as security and compliance standards and procedures we have in place.

Please let us know if there’s anything else we can do to assist, thanks!

Let us know if you have any other questions. Have a good day!

Sincerely,

Zaria R. Customer Experience Specialist

The security page says that Yesware does not store any permanent copies of the bodies of your email messages. However, for some CRM integration features, we store a temporary copy of message bodies until this data has been properly passed on to your CRM system; once this data has safely been recorded by your CRM, we delete it from our systems. This temporary data is stored in encrypted form; at no point do we store plaintext message body data”.

As I said before, we were testing the free version of Yesware without any integration with CRM. That’s why a couple of questions are still left:

  1. Why does Yesware receives content of the email body if the tracking functions are turned off and integration with CRM isn’t set?
  2. Why is the information about collecting and processing user data located on some page at the bottom of the website instead of being included in the Privacy Policy?

I think it’s crucial to include the information about the personal data policy in the installation process to help users make an informed decision about whether to install the extension.

Mailtrack Email Data Collection

The Mailtrack Privacy Policy guarantees that the body of your emails won’t be stored in company’s servers in any situation.

We can’t prove or disprove the fact of storage, but we checked whether this data is being sent to the servers. As with Yesware, we analyzed the Mailtrack free version, without any additional integrations. Also, we left all free tracking features on.

Analysis showed that this extension doesn’t collect your email body. You can make sure of it by comparing the original email and the code from Burp below.

Our email with Mailtrack tracking features on.

The analysis from Burp.

Docsify

The Docsify Privacy Policy claims that they do collect your email content. The document says:

“We collect and process the information sent by our Clients through our Service as a part of our Service. Such information may include documents, links, list of contacts, recipients’ email addresses, message subject, and other information sent by our Clients through our Service.

We made the same actions for Docsify and it doesn’t collect the email body.”

Similar to the other cases, we tested the app by sending our email with basic tracking features on, without the CRM integration. As mentioned in the Privacy Policy, the extension sent the email body to its servers.

We sent the email with next content.

“Please confirm, that you received this message. TOP confidential”

As you see, the email body was sent to Docsify servers.

The Burp analysis of our email with trackers features on.

What’s interesting — if you check the Docsify app you don’t find the content of the email body (as promised in Privacy Policy). At the same time we know that Docsify DOES collect it.

Email analytics shown in the Docsify app.

How Can Risks from Poor Extension Security Be Minimized

Is it possible for developers to use alternative methods which don’t store private emails? Unfortunately, there’s no shortage of all-purpose ideas, but it depends on different tech factors.

However, for end users, there are at least two essential steps to reducing your risk from stored email copy.

1. When you install a browser extension, pay attention to how much access you’re granting to your personal data. For example, by approving the “ability to read and change the data on all websites you visit,” you basically let an extension capture your passwords and credit card numbers or other personal details. Yes, sometimes there’s no other way that apps can work and interact with open web pages, but you never know whether it will use its permissions for good or evil or whether the security of the applications’ servers will remain intact.

2. Use common sense as your best security guard. If you clearly understand the problem or task you want to resolve with an extension, you can understand what permissions are actually necessary for helping you. Choose apps wisely, giving them the least amount of data possible.

3. Remember that some extensions don’t put information about data usage to the Privacy Policy. They are obliged to inform you by international law. If you don’t see this information in the Privacy Policy or Terms of Use, check the website footer for pages like “Security” or “Data Usage.”

4. Review and remove the apps you haven’t been using. We’re living in an era of data breaches. Every app has a potential problem.

5. Be sure you’re completely removing the app. As with Yesware and Docsify, if you give permission to the app, they won’t lose the access to your data even after their extensions are removed. To check and manage the permissions you’ve given to all the apps, follow these steps:

  • Log in to your Google Account.
  • Click the Security tab on the left.
  • Select Manage Access under “Connected applications and sites.”
  • Click the Revoke button for the services you want to remove data permissions for.

While we don’t have time to find and examine every extension that promises to keep the data from your emails private, we have reasons to believe that the majority of them are more interested in easy ways to do their job than in your real privacy.

It doesn’t matter how legitimate or trusted an extension is, the less it knows about you, the more secure you are.

read original article here