FC: If you forward HTML email, it could be eavesdropped

kelley kwalker2 at gte.net
Mon Feb 5 08:26:56 PST 2001

Previous message: Chinese Professor's Attack on a Sect Led to a Face-Off
Next message: Chinese Professor's Attack on a Sect Led to a Face-Off
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Search LBO-Talk Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort

"Email wiretapping" seems a little overblown, but this is bad news.

The new netiquette: 1. Friends don't send friends HTML email 2. Friends don't accept HTML email from friends 3. Friends don't let friends use Outlook or Navigator to read email 4. If you or a friend must break the above three rules, then disable Javascript 5. If you or a friend must break the above four rules, remove Javascript code from the HTML emil you forward (ask a geek for help)

-Declan

**********

From: "Richard M. Smith" <rms at privacyfoundation.org> To: "Declan McCullagh" <declan at well.com> Subject: Privacy advisory on email wiretapping Date: Mon, 5 Feb 2001 08:00:55 -0500

Hello,

The Privacy Foundation has issued a privacy advisory today describing a serious problem with the Outlook, Outlook Express, and Netscape 6 email readers. By adding a small bit of JavaScript code to an HTML email message, the sender of a message can listen in on comments added to the message whenever the message is forwarded to anyone else by the original receiver of the message.

We have nicknamed the problem "email wiretapping". The exploit is not based on any security hole, but uses standard, documented features of JavaScript to read the contents of a email message. A Web bug or hidden form can be used to transmit the contents of the message back to the sender. The JavaScript code is copied each time the message is forwarded or replied to by vulnerable email readers.

Some of the possible uses of the exploit include:

- In a negotiation conducted by email, one side can

learn the bargaining position of the other side

- To extract off-the-record remarks from governmental

or company officials

- To harvest email addresses as a chain letter

is being circulated.

The complete advisory can be found at:

http://www.privacyfoundation.org/advisories/advemailwiretap.html

The problem was originally found by Carl Voth and his write-up can be found at:

http://www.geocities.com/ResearchTriangle/Facility/8332/reaper-exploit-relea se.html

The New York Times also has a story about the problem in today's paper. The story is available online at:

http://www.nytimes.com/2001/02/05/technology/05JAVA.html

Richard

PS. The message is not bugged! ;-)

------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if it remains intact. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------

</backwarded>

Previous message: Chinese Professor's Attack on a Sect Led to a Face-Off
Next message: Chinese Professor's Attack on a Sect Led to a Face-Off
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the lbo-talk mailing list