Fun with Gzip Bombs and Email Clients

Protonmail and iCloud webmail’s proxies seem to fetch the whole 10MB file, but discard it. Protonmail will warn you that it failed to load the image, and give you the option of loading it directly from your web browser (not using their proxy). If you say yes, you leak your IP, but the browser doesn’t crash. This works well.

Evolution Mail has no defense for this. It downloads the whole 10MB and then proceeds to fully decompress it into its cache/evolution/http/ directory. I sent myself an email with this in the body:
In less than a minute after clicking “Load remote content”, Evolution Mail had added 100GB of data to my laptops disk.

1 Like

@Proton_Team is there any warning about IP leakage before clicking “Yes”?