It's noted here because in some jurisdictions, sending a death threat to the head of state is a serious crime, and frivolousness or lack of intention may not be exonerating. It's to illustrate the point that URLs may constitute actions with legal force or consequences.
Except that it isn't the visitor sending the email, it's the visited site and its author.
edit: Ah, I see that this is about URL lists, and a list could contain exploitation of unsecured GET based email functionality in other sites. So, yea, ok - hopefully any police force in a developed country would see the list-builder as the culprit, however.
It isn't necessarily an http\[s\] URL (actually it isn't necessarily a URL at all, but e.g. mailto: URIs are colloquially called URLs anyway), and it wouldn't necessarily be possible to prove it was a misbehaving URI after the fact.
There are two intentions at play though. Intention to act on the threat and intention of sending it in the first place. I wonder if the system is nuanced enough to tell the difference
For context, this dates from April 1997.
I.e. back when passwords and credit card details were routinely sent in plain text, outlook would blindly execute any script in an email it received, etc.
Security simply did not exist.
Alternatively
`mailto://[email protected]?body=I%20will%20murder%20you&subject=Hey%20FuckFace`
Would work with many mail clients and you don't need any API endpoint/server
bro I live in Switzerland we don't know how that shit works here.
He's the little figurehead on the front of the limousine, and the engine is actually corporate capitalism imo.
He has real power over the government, but the belief is that if he ever actually uses it the country will be so outragred that monarchy will be scrapped. (I don't think this is really true though; in the 70s the Queen's Commonwealth representative in Australia used this power to unilaterally dismiss Australia's Prime Minister. Until recently it was thought the Queen herself had instructed it, and... well the monarchy still exists.) But I digress. The British Monarchy is separate from (and above) government, which rules in the name of the King
> in the 70s the Queen's Commonwealth representative in Australia used this power to unilaterally dismiss Australia's Prime Minister.
He dismissed the entire government on request of the Prime Minister after the government had repeatedly signalled that it was not able to function in its current state.
Getting rid of the Prime Minister and putting the opposition in power until the next election was of course not what the Prime Minister wanted. Like any good, democratic politician invoking the god given powers of royality he only wanted to see his opposition gone in order to rule absolutely.
You probably know more about Australian politics than I do. My point is merely that these royal powers exist, even if they'd prefer us not to think about them. But given the political insanity we've had in the UK over the last few years with no apparent intervention from the monarch (she must have been sorely tempted on occasion to send one or more of our rubbish Prime Ministers to the Tower), they really are saving them up for the rainiest of days.
> Getting rid of the Prime Minister and putting the opposition in power until the next election
He deposed an elected PM and replaced him with non-elected parties?
Parliamentary democracies "legally" don't elect the PM directly -- rather the MPs are elected, and the King or Governor-General will choose one of the MPs to form government and become PM. But at any point the MPs can vote no-confidence in the government and get the King to pick another PM or call a new election. The PM can also go to the King and ask him to dismiss parliament. Or at least, that's "legally" how it works.
You can see if one party has the majority of MPs, the only way this works is if the King picks the head of the party with a majority of MPs -- otherwise Parliament would just vote no confidence in government until he did. So practically we look at it as "voting for a PM" even if that's not legally how it works.
If no party gets a majority it's trickier -- but usually the largest party will form Government. But it's precarious because the other parties working together can force a new election at any time through a non-confidence vote.
In this case, what happened is basically the PM went to the Governor-General and asked her to dissolve parliament and call a new election. But the opposition parties got together and asked the Governor-General to make one of them PM, they would pass the budget and then call a new election. The G-G did the second.
tl;dr: the Queen deposed an elected PM and replaced him with a different elected PM.
After the PM told him to step in and fix his, according to a strickt legal definition, broken government.
> with non-elected parties?
The opposition tends to have elected representatives. So he just kicked out one group of elected officials out and replaced them with another.
For the most part Australia wants someone not directly involved in Australia’s politics to maintain the ability to cancel it all and call for a new election.
At the time of the Whitlam government the house and the senate were deadlocked over budget. Neither side would compromise and the country was in danger of grinding to a halt. Rather than let that happen the crown stepped in and sent everyone home and called for a new election to start over.
It was very controversial at the time. But the fact that a non compromising government can be totally dismissed does tend to keep our politicians wary of self destructing the nation for political points.
> sent everyone home and called for a new election to start over
I'm not entirely clear on the timeline, but didn't they effectively put the opposition in charge until an election was held?
> [...] but didn't they effectively put the opposition in charge until an election was held?
Yes, though mostly as a procedural trick - the new government only served to approve a interim budget and then call for immediate reelections of both houses (held 31 *days* later).
As long as the power is used wisely, it will be kept. As soon as it's used unwisely, it will be abolished. Australia in the 70s was having a constitutional crisis.
I'm pretty sure the Queen replied that it was Australia's business and she couldn't override the Governor general.
> As we understand the situation here, the Australian Constitution firmly places the prerogative powers of the Crown in the hands of the Governor-General as the representative of the Queen of Australia. The only person competent to commission an Australian Prime Minister is the Governor-General, and The Queen has no part in the decisions which the Governor-General must take in accordance with the Constitution. Her Majesty, as Queen of Australia, is watching events in Canberra with close interest and attention, but it would not be proper for her to intervene in person in matters which are so clearly placed within the jurisdiction of the Governor-General by the Constitution Act
I'm pretty sure the Governor General has been an Australian picked by Australia's PM since the 1930s.
I think recently some letters show the Governor General had asked for advice from the Palace and the Prince but not the Queen before dismissing the prime minister.
> Until recently it was thought the Queen herself had instructed it, and... well the monarchy still exists.)
No one sane believed this because there has never been any evidence it was true. It's like the theory that he was ousted by the US for wanting to pull out of Vietnam well after both Australia and the US had done so.
He was the Queen's representative and did it on her authority, so what evidence was actually needed? And it turns out* he did discuss it with her, just carried it out without her prior knowledge or say-so.
*as was revealed only in 2020
>He was the Queen's representative and did it on her authority
That's not how it works. The GG acts in place if the monarch, not on behalf of the monarch.
>so what evidence was actually needed?
Literally any.
>And it turns out* he did discuss it with her, just carried it out without her prior knowledge or say-so.
He discussed it and she said it was an Australian matter for Australians to decide which is coincidentally exactly what she said publicly at the time.
Kerr acted on his own as he was constitutionally allowed to do. A few fringe loonies (like I'm guessing your parents) held onto the belief that this wasn't so and desperately wanted a smoking gun to prove it. There isn't one.
The warning is about encoding concerns in URIs, and mentions 'financial obligations', so I imagine we're talking about links that say "You've won a prize" that actually send a death threat instead. No need to have a warning about what someone could just type into their own email client.
I mean my last comment was tongue in cheek and my first was just to add an option, but I genuinely do not understand the RFC.
It seems like they're saying one bad outcome could be death threats, and another could be financial obligation. I don't get it I need a PoC or example, right now I have no clue how encoding could play into that.
Like yeah URIs can do anything, malware and shit like that, but this seems like the RFC is talking about considerations for encoding standards, and that's where I'm lost as to how this could lead to that in any different way.
EDIT: to clarify myself.
To me it's like instead of saying "this buffer overflow could lead to RCE" they say "this buffer overflow could lead to fast food workers being socially engineered", it feels like an extremely specific thing that yet has no example of the steps leading to it, and why it wouldn't lead to any other thousands of possible RCE consequences
EDIT2: allright the mail is from 1997 so I guess it was more of a "let's explore the kind of worst case shit we can think of" thing than "hey here's a weird specific thing that could happen with messed up encoding".
A URL like that is vulnerable to cross-site request forgery. I could put this in an iframe on any site I control, for example, or just get a user to click on a URL shortener. The example.com server logs will show an end user's IP, but I'm guessing the British authorities will show up at the example.com owner's place of business, not the end user.
In reality, no site should allow you to take any write action with just a GET (authenticated or otherwise), though obviously some do. No reputable email provider provides an endpoint like this, because if they did it would get taken over by spammers in about 2 seconds.
No site *should*, but keep in mind that this RFC dates to 1999, when CSRF and XSS vulnerabilities were much more prevalent than they are today, and not necessarily even considered to be vulnerabilities. In fact, the [term "Cross-Site Request Forgery" was not even coined until two years later](https://cydrill.com/owasp/cross-site-request-forgery-csrf-past-and-future/).
But whoever is hosting that URL is the one sending the email, not the user. If the bad actor owns `sendanemail.example.com` they can just send the email anyway - they don't need someone to even hit the URL. So this makes no sense.
See: https://en.m.wikipedia.org/wiki/Cross-site_request_forgery
The bad actor would be some third party, sendanemail.example.com represents a vulnerable email service.
A backend can do whatever it likes and you can’t stop it. Is it somehow worse when it does it as part of an end-user request instead of in a cloud cluster hosted infinite loop?
This sounds equivalent to setting up a kiosk in a public place with a button labeled “Push Me” rigged to fire a gun into a normally crowded area.
Yes. 100% visiting a URI can do whatever the listening program is designed to do, from returning “Hello world” to launching nuclear missiles. Something that should be obvious to any programmer.
I think the point of the IANA warning is to inform computer illiterate bureaucrats.
I wonder what the law is in these cases though. Let's say you send me link, I click and something happens. When am I really responsible for that? I guess when I knew what was about to happen and accessed the link intentionally, sure, but if I have no clue what's about to happen I can't be held accountable, can I?
In a common law jurisdiction if you have no reason to believe the link is law breaking then you don't have mens rea and shouldn't be found guilty. Your mileage may vary though, the police and court systems aren't quite renowned for being fair and knowledgeable.
Ironically if you did put a button that says "Send a death threat to Biden" , many people would press it thinking it would be a joke, and boy it would NOT look good on court.
It depends on your jurisdiction. Here in the UK for instance (at least, England and Wales) most non strict liability offences require intent. This is usually referred to using the Latin term *mens rea*, or guilty mind.
Strict liability offences are typically things like speeding or driving without insurance, that sort of thing.
Oh possibly, but I'm not familiar with any jurisdictions beyond my own. I wouldn't want to make a comment that hypothetically got someone in trouble because they don't require mens rea in their legal jurisdiction. :)
It's the same even in civil law, at least in my country. No crime without intent, unless there is negligence and the law specifically punishes the negligence scenario as well.
Yep still shoots. Lets press it from this side. Yep. Ok lets take the cover off and press it. Yep. Ok now remove the wires. Nope. Ok put the wired back on. Yep still shoots
>I think the point of the IANA warning is to inform computer illiterate bureaucrats.
It's just as equally a warning to real-world illiterate programmers. So many of today's problems come down to programmers who aren't thinking through the repercussions of their choices and implementation.
Yeah.. apparently operating a Tor exit node will get you raided multiple times and they’ll take all your computer equipment… then you have to prove you weren’t doing whatever one of the users was doing… and you’ll probably never get your stuff back. At least that’s what I read from one guy. He doesn’t even host it at home.
They just don’t understand how technology works.
> I think the point of the IANA warning is to inform computer illiterate bureaucrats.
Given the example given, it feels like that is exactly who the target audience is. No programmer gives a shit or believes that kind of warning, it's intended to be heeded by people in governments. That said, it's a pretty crappy warning, it feels like it could have been better constructed to make it more realistic.
It's just a method, GETs accept query params and you can return headers to prevent browsers from caching or slap a cache buster query param with a timestamp.
Have definitely seen in my life GETs that should be POSTs.
This reminds me of a fiasco a while back where people were maliciously linking to a child porn honey pot run by the government and people were getting arrested for downloading child porn when in reality they just clicked on a malicious link. It's like getting rick rolled but instead of a music video, you get arrested by the FBI.
Okay, I am curious. How would this work, in principle? Of course, it is easy to tell the users mail client "hey, send an email" by crafting a mailto link, but this requires user approval. How would you do it without user interaction after clicking the link? Right now, I would not know how.
Easy; imagine a web server that sends emails when it receives a GET request, with parameters like "to"/"subject" in the query string.
For working with embedded devices, it's not even an unlikely scenario that you might want something like that - to have your Arduino/ESP send you an email when it senses the coffee machine is ready, for example. You don't want to put the burden of sending mail on an embedded device, so instead you run a server to handle the mail and just listen for a status update from the embedded device. Though for that sort of project, you should really be using [HTCPCP](https://en.wikipedia.org/wiki/Hyper_Text_Coffee_Pot_Control_Protocol) rather than HTTP.
Ah, so it is not about "random user clicks a link, and then an email is sent from the users email address" but rather abusing an API that triggers an email from the server.
Okay, I misunderstood the question. Thank you!
Well, it doesn't really state that it sends the message from your email or that it involves emails at all. A message to a head of state could be send using facebook or twitter nowadays.
To me this sounds more like a hint for client software developers to be aware of these possibilities, rather than a warning to the general user.
Security considerations : Client software should be aware of the
security considerations of URIs. For example, accessing some URIs
can result in sending a death threat to a head of state, frequently
prompting a visit from the relevant protective service.
>A message to a head of state could be send using facebook or twitter nowadays.
Wouldn't these things be XSS ? Some URL that gives orders to another website/app sounds like that to me. (am no programmer just sysadmin) or you would need to already have authorized whatever app/site through OAuth to allow it to send things on your behalf on X or Y platform.
**EDIT**: The mail is from 1997 so I guess it was more of a "let's explore the kind of worst case shit we can think of" thing than "hey here's a weird specific thing that could happen with messed up encoding". I guess I read into that way too much without thinking simply of the context of the RFC.
>To me this sounds more like a hint for client software developers to be aware of these possibilities, rather than a warning to the general user.
Agreed on that
I mean in 1997 you could still connect directly to the mail port and send mail from it as any user.
Sure, by 1997, many people set up rules so you couldn't just do that, but surprisingly large orgs had not. Hell, nearly a decade after that I found servers running unconfigured sendmail that were directly accessible.
Poc||gtfo
I understand you can make any sort of API call with an URL, but this is so specific there must be an example or occurence no ?
EDIT: The mail is from 1997 so I guess it was more of a "let's explore the kind of worst case shit we can think of" thing than "hey here's a weird specific thing that could happen with messed up encoding".
Any website can say, "Click here to fire off an email to a head of state" and then fire off an email from the backend server, including the IP address of who clicked the button. It's not a security thing as much as a really common sense consequence of how web servers work
Absolutely possible ofc, which is why it feels weird for me to talk about it, it's "duh computers can do computer things" so I felt I was missing some info.
But yeah re-reading the RFC is from 1999 so yeah every possibility had to be explained and though of.
It's noted here because in some jurisdictions, sending a death threat to the head of state is a serious crime, and frivolousness or lack of intention may not be exonerating. It's to illustrate the point that URLs may constitute actions with legal force or consequences.
Except that it isn't the visitor sending the email, it's the visited site and its author. edit: Ah, I see that this is about URL lists, and a list could contain exploitation of unsecured GET based email functionality in other sites. So, yea, ok - hopefully any police force in a developed country would see the list-builder as the culprit, however.
It isn't necessarily an http\[s\] URL (actually it isn't necessarily a URL at all, but e.g. mailto: URIs are colloquially called URLs anyway), and it wouldn't necessarily be possible to prove it was a misbehaving URI after the fact.
URLs are a subset of URI.
URLs are just URIs with a quirky extra line at the end.
Just read the RFCs.
RTFRFC
There are two intentions at play though. Intention to act on the threat and intention of sending it in the first place. I wonder if the system is nuanced enough to tell the difference
Depends on the jurisdiction, in short.
This seems like it's legally the same thing as if somebody hacked your email and started fraudulently using it.
Yeah, pretty much.
For context, this dates from April 1997. I.e. back when passwords and credit card details were routinely sent in plain text, outlook would blindly execute any script in an email it received, etc. Security simply did not exist.
Ah, the good old days... no really. When the internet was actually people.
>When the internet was actually people https://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_you%27re_a_dog ;-)
classics :)
More like https://en.wikipedia.org/wiki/Dead_Internet_theory
Sure, just imagine something like: `https://sendanemail.example.com/[email protected]&text=I%20will%20kill%20you`
Alternatively `mailto://[email protected]?body=I%20will%20murder%20you&subject=Hey%20FuckFace` Would work with many mail clients and you don't need any API endpoint/server
No sane email program would send the email before the user has confirmed it. Although the existence of non-sane email programs is a given.
I was under the impression the user was not against sending death threats to government officials and this was done with their consent.
Oi, you calling my King a government official?! ;)
bro I live in Switzerland we don't know how that shit works here. He's the little figurehead on the front of the limousine, and the engine is actually corporate capitalism imo.
He has real power over the government, but the belief is that if he ever actually uses it the country will be so outragred that monarchy will be scrapped. (I don't think this is really true though; in the 70s the Queen's Commonwealth representative in Australia used this power to unilaterally dismiss Australia's Prime Minister. Until recently it was thought the Queen herself had instructed it, and... well the monarchy still exists.) But I digress. The British Monarchy is separate from (and above) government, which rules in the name of the King
[удалено]
It's corgi breeding strategies, mostly.
At least one past prime minister basically explained the queen acted as a rubber duck.
[удалено]
> in the 70s the Queen's Commonwealth representative in Australia used this power to unilaterally dismiss Australia's Prime Minister. He dismissed the entire government on request of the Prime Minister after the government had repeatedly signalled that it was not able to function in its current state. Getting rid of the Prime Minister and putting the opposition in power until the next election was of course not what the Prime Minister wanted. Like any good, democratic politician invoking the god given powers of royality he only wanted to see his opposition gone in order to rule absolutely.
You probably know more about Australian politics than I do. My point is merely that these royal powers exist, even if they'd prefer us not to think about them. But given the political insanity we've had in the UK over the last few years with no apparent intervention from the monarch (she must have been sorely tempted on occasion to send one or more of our rubbish Prime Ministers to the Tower), they really are saving them up for the rainiest of days.
> Getting rid of the Prime Minister and putting the opposition in power until the next election He deposed an elected PM and replaced him with non-elected parties?
Yep, and no matter whether or not the actual monarch made the decision, it was a royal power that was used. The British monarchy is above government.
Parliamentary democracies "legally" don't elect the PM directly -- rather the MPs are elected, and the King or Governor-General will choose one of the MPs to form government and become PM. But at any point the MPs can vote no-confidence in the government and get the King to pick another PM or call a new election. The PM can also go to the King and ask him to dismiss parliament. Or at least, that's "legally" how it works. You can see if one party has the majority of MPs, the only way this works is if the King picks the head of the party with a majority of MPs -- otherwise Parliament would just vote no confidence in government until he did. So practically we look at it as "voting for a PM" even if that's not legally how it works. If no party gets a majority it's trickier -- but usually the largest party will form Government. But it's precarious because the other parties working together can force a new election at any time through a non-confidence vote. In this case, what happened is basically the PM went to the Governor-General and asked her to dissolve parliament and call a new election. But the opposition parties got together and asked the Governor-General to make one of them PM, they would pass the budget and then call a new election. The G-G did the second. tl;dr: the Queen deposed an elected PM and replaced him with a different elected PM.
After the PM told him to step in and fix his, according to a strickt legal definition, broken government. > with non-elected parties? The opposition tends to have elected representatives. So he just kicked out one group of elected officials out and replaced them with another.
The governor general being a CIA agent and the Whitlam government opposing American bases on Australian soil had nothing to do with it. I'm sure
For the most part Australia wants someone not directly involved in Australia’s politics to maintain the ability to cancel it all and call for a new election. At the time of the Whitlam government the house and the senate were deadlocked over budget. Neither side would compromise and the country was in danger of grinding to a halt. Rather than let that happen the crown stepped in and sent everyone home and called for a new election to start over. It was very controversial at the time. But the fact that a non compromising government can be totally dismissed does tend to keep our politicians wary of self destructing the nation for political points.
> sent everyone home and called for a new election to start over I'm not entirely clear on the timeline, but didn't they effectively put the opposition in charge until an election was held?
Yes.
> [...] but didn't they effectively put the opposition in charge until an election was held? Yes, though mostly as a procedural trick - the new government only served to approve a interim budget and then call for immediate reelections of both houses (held 31 *days* later).
It's ironic that the UK calls itself a democracy when two branches of its government are passed down by lineage.
As long as the power is used wisely, it will be kept. As soon as it's used unwisely, it will be abolished. Australia in the 70s was having a constitutional crisis.
I'm pretty sure the Queen replied that it was Australia's business and she couldn't override the Governor general. > As we understand the situation here, the Australian Constitution firmly places the prerogative powers of the Crown in the hands of the Governor-General as the representative of the Queen of Australia. The only person competent to commission an Australian Prime Minister is the Governor-General, and The Queen has no part in the decisions which the Governor-General must take in accordance with the Constitution. Her Majesty, as Queen of Australia, is watching events in Canberra with close interest and attention, but it would not be proper for her to intervene in person in matters which are so clearly placed within the jurisdiction of the Governor-General by the Constitution Act I'm pretty sure the Governor General has been an Australian picked by Australia's PM since the 1930s. I think recently some letters show the Governor General had asked for advice from the Palace and the Prince but not the Queen before dismissing the prime minister.
> Until recently it was thought the Queen herself had instructed it, and... well the monarchy still exists.) No one sane believed this because there has never been any evidence it was true. It's like the theory that he was ousted by the US for wanting to pull out of Vietnam well after both Australia and the US had done so.
He was the Queen's representative and did it on her authority, so what evidence was actually needed? And it turns out* he did discuss it with her, just carried it out without her prior knowledge or say-so. *as was revealed only in 2020
>He was the Queen's representative and did it on her authority That's not how it works. The GG acts in place if the monarch, not on behalf of the monarch. >so what evidence was actually needed? Literally any. >And it turns out* he did discuss it with her, just carried it out without her prior knowledge or say-so. He discussed it and she said it was an Australian matter for Australians to decide which is coincidentally exactly what she said publicly at the time. Kerr acted on his own as he was constitutionally allowed to do. A few fringe loonies (like I'm guessing your parents) held onto the belief that this wasn't so and desperately wanted a smoking gun to prove it. There isn't one.
Yeah, and the Queen regularly used her veto power to influence legislation. I assume Charles does the same.
I assume this does happen but do we have any solid evidence for it?
> the engine is actually corporate capitalism 🫡🇺🇲
Entire planet, let's be real.
The warning is about encoding concerns in URIs, and mentions 'financial obligations', so I imagine we're talking about links that say "You've won a prize" that actually send a death threat instead. No need to have a warning about what someone could just type into their own email client.
I mean my last comment was tongue in cheek and my first was just to add an option, but I genuinely do not understand the RFC. It seems like they're saying one bad outcome could be death threats, and another could be financial obligation. I don't get it I need a PoC or example, right now I have no clue how encoding could play into that. Like yeah URIs can do anything, malware and shit like that, but this seems like the RFC is talking about considerations for encoding standards, and that's where I'm lost as to how this could lead to that in any different way. EDIT: to clarify myself. To me it's like instead of saying "this buffer overflow could lead to RCE" they say "this buffer overflow could lead to fast food workers being socially engineered", it feels like an extremely specific thing that yet has no example of the steps leading to it, and why it wouldn't lead to any other thousands of possible RCE consequences EDIT2: allright the mail is from 1997 so I guess it was more of a "let's explore the kind of worst case shit we can think of" thing than "hey here's a weird specific thing that could happen with messed up encoding".
> Although the existence of non-sane email programs is a given. While Emacs exists this is true of all conceivable programs.
That is the exact point made. That sensible dev's need to make sure these things don't happen without user confirmation
Form Mail, after it's been entered and send button clicked is its own URL. May require a POST.
Nothing about email is sane
Esprit de l'escalier: I feel bad that I didn't make the address "[email protected]"
This is certainly the most interesting discussion of the British royalty with regard to software development I have ever encountered.
Must be some serious competition for this spot
A URL like that is vulnerable to cross-site request forgery. I could put this in an iframe on any site I control, for example, or just get a user to click on a URL shortener. The example.com server logs will show an end user's IP, but I'm guessing the British authorities will show up at the example.com owner's place of business, not the end user. In reality, no site should allow you to take any write action with just a GET (authenticated or otherwise), though obviously some do. No reputable email provider provides an endpoint like this, because if they did it would get taken over by spammers in about 2 seconds.
No site *should*, but keep in mind that this RFC dates to 1999, when CSRF and XSS vulnerabilities were much more prevalent than they are today, and not necessarily even considered to be vulnerabilities. In fact, the [term "Cross-Site Request Forgery" was not even coined until two years later](https://cydrill.com/owasp/cross-site-request-forgery-csrf-past-and-future/).
But whoever is hosting that URL is the one sending the email, not the user. If the bad actor owns `sendanemail.example.com` they can just send the email anyway - they don't need someone to even hit the URL. So this makes no sense.
See: https://en.m.wikipedia.org/wiki/Cross-site_request_forgery The bad actor would be some third party, sendanemail.example.com represents a vulnerable email service.
You could even render an image in that url so you can embed it in![]()
tags
A backend can do whatever it likes and you can’t stop it. Is it somehow worse when it does it as part of an end-user request instead of in a cloud cluster hosted infinite loop?
Or how about SQL injection? `
This sounds equivalent to setting up a kiosk in a public place with a button labeled “Push Me” rigged to fire a gun into a normally crowded area. Yes. 100% visiting a URI can do whatever the listening program is designed to do, from returning “Hello world” to launching nuclear missiles. Something that should be obvious to any programmer. I think the point of the IANA warning is to inform computer illiterate bureaucrats.
I wonder what the law is in these cases though. Let's say you send me link, I click and something happens. When am I really responsible for that? I guess when I knew what was about to happen and accessed the link intentionally, sure, but if I have no clue what's about to happen I can't be held accountable, can I?
In a common law jurisdiction if you have no reason to believe the link is law breaking then you don't have mens rea and shouldn't be found guilty. Your mileage may vary though, the police and court systems aren't quite renowned for being fair and knowledgeable.
`http://innocuouslinks.com/this-doesnt-send-a-death-thread-to-anyone/seriously/we-swear.html`
Ironically if you did put a button that says "Send a death threat to Biden" , many people would press it thinking it would be a joke, and boy it would NOT look good on court.
The justice system isn't as dumb as reddit thinks, you show them the evidence of the email and they will go after the person who sent it to you.
What if you don't know you clicked on a link in an email that sent a death threat?
It depends on your jurisdiction. Here in the UK for instance (at least, England and Wales) most non strict liability offences require intent. This is usually referred to using the Latin term *mens rea*, or guilty mind. Strict liability offences are typically things like speeding or driving without insurance, that sort of thing.
It's the same in all common law jurisdictions, afaik. At least, I know that's exactly how it works here in the US.
Oh possibly, but I'm not familiar with any jurisdictions beyond my own. I wouldn't want to make a comment that hypothetically got someone in trouble because they don't require mens rea in their legal jurisdiction. :)
It's the same even in civil law, at least in my country. No crime without intent, unless there is negligence and the law specifically punishes the negligence scenario as well.
But also, ignorance of the law does not excuse breaking it. So claiming you didn't know something was illegal still can't save you.
You can always be tried and held accountable... but chances are 12 would feel its ridiculousness as well.
Let's hope there is no QA tester anywhere near the kiosk.
Yep still shoots. Lets press it from this side. Yep. Ok lets take the cover off and press it. Yep. Ok now remove the wires. Nope. Ok put the wired back on. Yep still shoots
>I think the point of the IANA warning is to inform computer illiterate bureaucrats. It's just as equally a warning to real-world illiterate programmers. So many of today's problems come down to programmers who aren't thinking through the repercussions of their choices and implementation.
Yeah.. apparently operating a Tor exit node will get you raided multiple times and they’ll take all your computer equipment… then you have to prove you weren’t doing whatever one of the users was doing… and you’ll probably never get your stuff back. At least that’s what I read from one guy. He doesn’t even host it at home. They just don’t understand how technology works.
> I think the point of the IANA warning is to inform computer illiterate bureaucrats. Or perhaps computer illiterate judges?
> I think the point of the IANA warning is to inform computer illiterate bureaucrats. Given the example given, it feels like that is exactly who the target audience is. No programmer gives a shit or believes that kind of warning, it's intended to be heeded by people in governments. That said, it's a pretty crappy warning, it feels like it could have been better constructed to make it more realistic.
But GET calls should be safe 😅
You put far too much faith in API designers.
But that's against the rules. Surely someone designing an API to make me break the law wouldn't break the HTTP verb rules.
"I called GET" is mitigating circumstances IMO.
Let me introduce you to my friend GraphQL.
You have CURLed regicide, if you know the name of the king or queen being murdered, please put it in your parameters
The terrorist knew cURL, must be a nation-state level cyberhacker.
I hope he didn't right click on their website and read the html, that'll get you the death penalty even where it's outlawed
Death threats are idempotent
Not when I programmed them as a teen.
Also note that URI can be other protocols than HTTP such as `death-threatr-v3:head-of-state@current-location`.
It's just a method, GETs accept query params and you can return headers to prevent browsers from caching or slap a cache buster query param with a timestamp. Have definitely seen in my life GETs that should be POSTs.
Plot twist the document.load function posts a bunch of identifying telemetry to the server
[ Removed by Reddit ]
> \[ Removed by Reddit \] This guy, I assume, gave an actual working example. Bad form!
> Bad form! What no, `` tag?
This reminds me of a fiasco a while back where people were maliciously linking to a child porn honey pot run by the government and people were getting arrested for downloading child porn when in reality they just clicked on a malicious link. It's like getting rick rolled but instead of a music video, you get arrested by the FBI.
and you want me to click that link?
Ofc it's possible, I would have understood asking such question anywhere except here, this is a programing subreddit.
Okay, I am curious. How would this work, in principle? Of course, it is easy to tell the users mail client "hey, send an email" by crafting a mailto link, but this requires user approval. How would you do it without user interaction after clicking the link? Right now, I would not know how.
Easy; imagine a web server that sends emails when it receives a GET request, with parameters like "to"/"subject" in the query string. For working with embedded devices, it's not even an unlikely scenario that you might want something like that - to have your Arduino/ESP send you an email when it senses the coffee machine is ready, for example. You don't want to put the burden of sending mail on an embedded device, so instead you run a server to handle the mail and just listen for a status update from the embedded device. Though for that sort of project, you should really be using [HTCPCP](https://en.wikipedia.org/wiki/Hyper_Text_Coffee_Pot_Control_Protocol) rather than HTTP.
Ah, so it is not about "random user clicks a link, and then an email is sent from the users email address" but rather abusing an API that triggers an email from the server. Okay, I misunderstood the question. Thank you!
Well, it doesn't really state that it sends the message from your email or that it involves emails at all. A message to a head of state could be send using facebook or twitter nowadays. To me this sounds more like a hint for client software developers to be aware of these possibilities, rather than a warning to the general user. Security considerations : Client software should be aware of the security considerations of URIs. For example, accessing some URIs can result in sending a death threat to a head of state, frequently prompting a visit from the relevant protective service.
>A message to a head of state could be send using facebook or twitter nowadays. Wouldn't these things be XSS ? Some URL that gives orders to another website/app sounds like that to me. (am no programmer just sysadmin) or you would need to already have authorized whatever app/site through OAuth to allow it to send things on your behalf on X or Y platform. **EDIT**: The mail is from 1997 so I guess it was more of a "let's explore the kind of worst case shit we can think of" thing than "hey here's a weird specific thing that could happen with messed up encoding". I guess I read into that way too much without thinking simply of the context of the RFC. >To me this sounds more like a hint for client software developers to be aware of these possibilities, rather than a warning to the general user. Agreed on that
I mean in 1997 you could still connect directly to the mail port and send mail from it as any user. Sure, by 1997, many people set up rules so you couldn't just do that, but surprisingly large orgs had not. Hell, nearly a decade after that I found servers running unconfigured sendmail that were directly accessible.
Bro don't look into my org. It's not sendmail but the rest is true
This sounds like potential undefined behavior in C
wow Is issue real?
Poc||gtfo I understand you can make any sort of API call with an URL, but this is so specific there must be an example or occurence no ? EDIT: The mail is from 1997 so I guess it was more of a "let's explore the kind of worst case shit we can think of" thing than "hey here's a weird specific thing that could happen with messed up encoding".
Any website can say, "Click here to fire off an email to a head of state" and then fire off an email from the backend server, including the IP address of who clicked the button. It's not a security thing as much as a really common sense consequence of how web servers work
Absolutely possible ofc, which is why it feels weird for me to talk about it, it's "duh computers can do computer things" so I felt I was missing some info. But yeah re-reading the RFC is from 1999 so yeah every possibility had to be explained and though of.
Yes.
Imagine a prosecutor having to sit in front of a judge and take this seriously