February 8, 2026

Spy pixels strike back

Article URL →HN comments →

Roundcube Webmail: SVG feImage bypasses image blocking to track email opens

Sneaky email “spy pixel” slips past Roundcube’s block—fix lands, comment wars erupt

TLDR: Roundcube’s email app let a hidden SVG image track opens even with image blocking on; it’s now fixed in 1.5.13 and 1.6.13. Commenters split between going offline, nuking risky attachments, prefetching all images to confuse trackers, and even doubting the source—privacy anxiety meets patch day drama.

Your inbox might’ve been spying on you: Roundcube’s “block remote images” missed a tiny SVG filter trick, letting a hidden 1x1 spy pixel call home. The fix is out in versions 1.5.13 and 1.6.13, but the community reaction? Pure drama. Privacy diehards like Galanwe flexed their offline setups—“read less online, avoid trackers”—turning email minimalism into a lifestyle. Meanwhile, stragies raised the stakes: is Roundcube the only one, or are other webmail apps next? Cue collective side-eye.

Then came the chaos theory: smelendez suggested prefetching every image and caching it for 72 hours so “opened” becomes meaningless. Half the crowd cheered the idea of drowning trackers in noise; the other half wondered if that’s just feeding them more data. On the defense, jonathanlydall said fraudsters love .svg attachments and simply blocks .svg and .htm(l)—the “nuke from orbit” school of security.

And because no good bug is complete without meta-drama, michaelteter questioned the source blog’s single lonely post. Is it a new whistleblower or just a one-off? The paranoia spilled over from pixels to provenance.

Bottom line: Roundcube patched the hole so SVG image links are treated like images and blocked. Update now, then watch the comment section burn hotter than your inbox. See Roundcube for releases.

Key Points

  • Roundcube Webmail’s sanitizer let SVG feImage href bypass remote image blocking.
  • Affected versions: < 1.5.13 and 1.6.x < 1.6.13; fixed in 1.5.13 and 1.6.13.
  • The bug arose because feImage href was treated as a link (wash_link) instead of an image attribute.
  • A proof-of-concept SVG filter triggered a remote GET, enabling email open tracking.
  • Fix 26d7677 adds feimage to href image checks, routing through wash_uri to block remote URLs.

Hottest takes

“Prefetch every image, cache it, and make ‘opened’ meaningless” — smelendez
“I wonder if other webmail clients will need to be patched” — stragies
“Curious that this blog has only one post” — michaelteter

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.