blog

Turns out specific e-mails, called Kobold letters, may change their contents when they're forwarded, simply by putting properly coded CSS into the mail.

This attack is possible because most email clients allow CSS to be used to style HTML emails. When an email is forwarded, the position of the original email in the DOM usually changes, allowing for CSS rules to be selectively applied only when an email has been forwarded.

Currently the only defense appears to be switching off HTML in e-mails alltogether.