When I wrote Monday about the new didtheyreadit.com privacy-invading email tracking system, I had no idea that an even more invasive system has been on the market for two years or so. This system, called readnotify.com, was pointed out by commenter Brian Parsons.
readnotify.com is an email tracking system that uses Web bugs (like didtheyreadit) and also uses a trick involving IFRAMEs (unlike didtheyreadit). The IFRAME trick cannot be disabled by the standard countermeasure of turning off remote image loading. There may not be an easy way to disable it in today’s email software, short of turning off HTML email entirely.
Worse yet, readnotify offers a service that lets anyone put hidden tracking bugs in Word documents, Excel spreadsheets, and other OLE-compliant document formats. When somebody opens a document containing one of these trackers, the time of the access is reported, along with the accessor’s IP address (which often reveals their geographic location) and some configuration information about their computer.
The vulnerability in Word that readnotify exploits was discovered back in 2000 by Richard M. Smith. It got some press coverage back then, but was mostly ignored because there were no reports (at that time) of anybody exploiting the vulnerability. Now there are commercial products that exploit it. It’s time for Microsoft to fix this vulnerability.