That Evolution mail caching behaviour is really sketchy. I wonder if it could be used for an exploit in the right scenario. If nothing else, it’s a good way to make an email that looks completely different depending on which client it’s opened in.
I love this, thanks for sharing. When I failed to get a measurable time difference myself I was worried I might just be doing something wrong and it'd get flagged the moment I published my research, so it's great to get confirmation from other people.
With the single-packet attack, you look at the order that the responses arrive in, instead of the time they take to arrive. Since the responses are on a single TLS stream, they always arrive at the client in the order that the server issued them in. Hope that makes sense!
tldr: curl's --data-binary argument normally specifies arbitrary data to send to the server. However, if the argument starts with an @, curl instead treats it as a filename, and sends the file contents to the server.
This technique is likely to work on anything with 'copy as curl' functionality, and may also work on some websites with SSRF where you control a request body or header name.
I wrote this up but full credit goes to Paul Mutton for reporting it to our bug bounty program, and agreeing to let us publish the technique.