Home page logo
/

Politech mailing list archives

FC: If you forward HTML email, it could be eavesdropped
From: Declan McCullagh <declan () well com>
Date: Mon, 05 Feb 2001 10:55:49 -0500

"Email wiretapping" seems a little overblown, but this is bad news.

The new netiquette:
1. Friends don't send friends HTML email
2. Friends don't accept HTML email from friends
3. Friends don't let friends use Outlook or Navigator to read email
4. If you or a friend must break the above three rules, then disable Javascript
5. If you or a friend must break the above four rules, remove Javascript code from the HTML emil you forward (ask a geek for help)

-Declan

**********

From: "Richard M. Smith" <rms () privacyfoundation org>
To: "Declan McCullagh" <declan () well com>
Subject: Privacy advisory on email wiretapping
Date: Mon, 5 Feb 2001 08:00:55 -0500

Hello,

The Privacy Foundation has issued a privacy advisory today
describing a serious problem with the Outlook, Outlook Express,
and Netscape 6 email readers.  By adding a small bit
of JavaScript code to an HTML email message, the sender
of a message can listen in on comments added to the
message whenever the message is forwarded to anyone else
by the original receiver of the message.

We have nicknamed the problem "email wiretapping".  The exploit
is not based on any security hole, but uses standard,
documented features of JavaScript to read the contents
of a email message.  A Web bug or hidden form can
be used to transmit the contents of the message back to
the sender.  The JavaScript code is copied each time
the message is forwarded or replied to by vulnerable
email readers.

Some of the possible uses of the exploit include:

  - In a negotiation conducted by email, one side can
    learn the bargaining position of the other side
  - To extract off-the-record remarks from governmental
    or company officials
  - To harvest email addresses as a chain letter
    is being circulated.

The complete advisory can be found at:

http://www.privacyfoundation.org/advisories/advemailwiretap.html

The problem was originally found by Carl Voth and
his write-up can be found at:

http://www.geocities.com/ResearchTriangle/Facility/8332/reaper-exploit-relea
se.html

The New York Times also has a story about the problem
in today's paper.  The story is available online at:

http://www.nytimes.com/2001/02/05/technology/05JAVA.html

Richard

PS. The message is not bugged! ;-)



-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • FC: If you forward HTML email, it could be eavesdropped Declan McCullagh (Feb 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault