And that’s the long and short of it.
Spagnuolo has street cred as a security researcher, including a recent Google reward of $3113.7 (he won the larger sum of $5000 the month before that, though it doesn’t sound so cool), but not everyone seems happy about his “vulnerability.”
Over on self-styled alpha geek technology website Ars Technica, Spagnuolo has had a bit of a hammering from some commenters.
They’re saying, “So what?”
Therefore, the naysayers are confronting Spagnuolo with remarks along the lines of, “Sensationalist claptrap. This is not a vulnerability. This is Web 2.0. Nothing to see here. Move on.”
And, do you know what?
So now the question is, “Why?”
I was interested to know what various experts and educators thought, so I set about looking and asking around.
Here’s colleague and fellow Naked Security writer Mark Stockley on the issue:
I think context is everything. Email is reading something on your computer whereas using the web is more like reading something on somebody else's computer. They're functionally no different but I think the underlying mental models are very different. The difference between the mental model and reality is a gap into which security problems can sprout.
Stephen Chapman, advisor and educator, writing on About.com:
With web pages it is the person browsing the web who decides which web pages that they visit... With emails it is the sender who has the most control over what emails are sent and the recipient has less control. Because emails that we don't want can get through our spam filter we want the emails that we do see to be made as harmless as we can.
And an anonymous commenter on Quora.com, replying to someone who had asked that very same “Why?”:
I think it's simply that people don't want more interactive emails. Most person-to-person email is text-based: other than maybe some HTML formatting, people send email to each other via written paragraphs, maybe with a picture attachment or two... Since email is pushed onto the user, it makes sense that the content being pushed is as unintrusive as possible.
There are other important reasons, too.
Perhaps the most significant is what browsers call the same origin policy.
This basically says that scripts are limited to reading data from, and sending data to, the same source as the page they’re running in.
By this restriction, for example, scripts on your favourite social networking site can’t see or use the session cookies set by your webmail client; data uploaded via a page on a technical support site can’t inadvertently be sent somewhere else; and so forth.
But how would you decide the “same origin” for an email you’d received?
→ This reasoning, defence in depth, is why running an email spam filter to strip malicious attachments isn’t a substitute for endpoint anti-virus, but a complement to it. To be fair: Dropbox may be planning a two-pronged fix, but updating an app on the App Store is not an instantaneous process.
What do you think? Is this a vulnerability of sorts? Or a fuss about nothing?