DANGER
The Evolution email client has a serious bug that leaks private information to anyone who sends you an email that you open in Evolution. There is no fix or workaround suggested by the project. This is a major show-stopper bug and disqualifies this email client for use by anyone who cares about privacy or security. This bug is also present in the Balsa, Geary and KMail email clients.
It has recently come to light that there is a major bug in the Evolution email program that was first reported to the Evolution developers on April 21, 2024, which has still not been resolved.
This bug relates to the “Never load remote content from the Internet” configuration option, which is supposed to disable the loading of remote content in an email.
Evolution and the other affected email clients, including Balsa, Geary, and KMail, leak information to remote content servers even when this setting is enabled, which is a major privacy and security flaw.
What makes the situation worse is that all of these projects consider this bug to be “somebody else’s problem” as the issue is not directly in their own code, but in code from a dependency. With nobody taking responsibility for the bug, there is no workaround or timeline for a fix.
Why Disabling Loading of Remote Content is Important
One of the fundamental privacy settings recommended for all email clients is to disable automatic loading of remote content in emails.
Disabling automatic loading of remote content ensures that images and other content embeded in an email that is hosted on the Internet is not fetched by the email client when you open the email.
This is important because fetching remote content from a server on the Internet provides private information to that server, including:
- The fact that you opened the email
- The time when you opened the email
- The IP address of the computer where the email was opened
- The name of the email program you used to open the email
Given that you can receive email from all sorts of untrusted sources, disabling loading of remote content is critical to preventing the leakage of this private information to unknown potential attackers.
A Foolproof Way To Attract Spam
One of the most noticable results of loading remote content in email will be a steady increase in spam targeted at your email address.
This is because spammers use tiny single-pixel tracking images in their emails. These are remote images linked from the email, and when your email program loads these images, that confirms to the spammers that your email address is valid, and that someone has opened their spam message.
As a result, spammers will move you to their database of verified “good” email addresses which are known to be valid and active, and will target your address with more spam.
The Importance of IP Address Privacy
The bug in evolution enables anyone who sends you a mail that you open in Evolution to discover your IP address.
This is a significant security risk, as knowledge of your IP address allows an attacker to:
- Know your likely geographical location
- Directly attack your home network or computer
- Launch indirect attacks leveraging your IP address
Good security and privacy practice requires protecting your IP address. This is why our Secure Email service removes your IP address from messages that you send, and our NeoTunnel Private Surfing service protects your IP address as you surf the web.
However, as the Evolution bug shows, privacy and security risks can come at you from different directions, and it is critical to select software tools that take security and privacy seriously.
Buck-Passing and Disregard For User Privacy
The most telling aspect of this Evolution bug saga is the unfortunate stance of the app’s developers. Instead of tackling this issue as a high priority, they have chosen to simply point out that the bug is not in their own code, but in WebKitGTK, a library that Evolution uses to display HTML email, and thereby disclaim responsibility for it.
While the technical point noted by the Evolution developers is true, it does not absolve them of responsibility for the bug as it affects users of Evolution.
As a critical privacy-affecting bug, where the user interface offers a privacy-protecting option that does not work, and fails silently, this needs to be prominently brought to the attention of users, until the bug is fixed.
Enabling the option to “never load remote content” should pop up a warning dialog that informs the user that this option doesn’t work properly, and that remote content may be loaded regardless of the setting of this option.
The lack of such notification and the attitude of the developers reveals complete disregard for user privacy.
Given this fact, the Evolution email client is best avoided, as are others that rely on the WebKitGTK component, such as Balsa, Geary and KMail. The relevant bug report for WebKitGTK has been open since August 03, 2023.