Here’s something a little scary for anyone who uses Outlook Web Access. Watch out for the links you click in emails, because your browser may send a whole lot of information about you in the HTTP Referer header.
Browsing through my log files the other day, I found this as one of my referers (all specific information changed to protect the innocent):
This is the referer that results from clicking on a link displayed in Outlook Web Access. It’s the URL from one of the message pop-up windows. You don’t usually see it because when you open a message, the address line is surpressed in the pop-up. Next time, open a message, right-click on the page, and click “View Page Info” (Mozilla / Firebird) or “Properties” (IE).
From one line in a log file, I have the name of the user and the name of her company. I typed in the domain name, and I got a Web site for the company, with helpful contact information listing a city and state.
Using that information, a Google search turned up her email address, home address, and home telephone number. Within about 60 seconds , I knew where she worked, where she lived, and how to email, postal mail, and telephone her.
Based on my knowledge, there’s no way to protect against this. The browser doesn’t know that it’s exposing a privacy hole by sending the URL of the referring page. The browser doesn’t even know it’s using Outlook Web Access. It could be at CNN for all it knows — browsers just blindly pass along URLs, since there’s rarely any identifying information in them.
I know of no browser which you can configure to not send an HTTP Referer header, though this would be a handy feature.
In the end, this brings up a good point for secure coding: never embed any identifying information in a URL thinking the user will be the only one who ever sees it. Browsers will blissfully pass along those URLs without telling you about it.