[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: [[email protected]: FC: If you forward HTML email, it could be eavesdropped]

----- Forwarded message from Declan McCullagh <[email protected]> -----

Date: Mon, 05 Feb 2001 10:55:49 -0500
To: [email protected]
From: Declan McCullagh <[email protected]>
Subject: FC: If you forward HTML email, it could be eavesdropped

"Email wiretapping" seems a little overblown, but this is bad news.

The new netiquette:
1. Friends don't send friends HTML email
2. Friends don't accept HTML email from friends
3. Friends don't let friends use Outlook or Navigator to read email
4. If you or a friend must break the above three rules, then disable Javascript
5. If you or a friend must break the above four rules, remove Javascript 
code from the HTML emil you forward (ask a geek for help)



From: "Richard M. Smith" <[email protected]>
To: "Declan McCullagh" <[email protected]>
Subject: Privacy advisory on email wiretapping
Date: Mon, 5 Feb 2001 08:00:55 -0500


The Privacy Foundation has issued a privacy advisory today
describing a serious problem with the Outlook, Outlook Express,
and Netscape 6 email readers.  By adding a small bit
of JavaScript code to an HTML email message, the sender
of a message can listen in on comments added to the
message whenever the message is forwarded to anyone else
by the original receiver of the message.

We have nicknamed the problem "email wiretapping".  The exploit
is not based on any security hole, but uses standard,
documented features of JavaScript to read the contents
of a email message.  A Web bug or hidden form can
be used to transmit the contents of the message back to
the sender.  The JavaScript code is copied each time
the message is forwarded or replied to by vulnerable
email readers.

Some of the possible uses of the exploit include:

   - In a negotiation conducted by email, one side can
     learn the bargaining position of the other side
   - To extract off-the-record remarks from governmental
     or company officials
   - To harvest email addresses as a chain letter
     is being circulated.

The complete advisory can be found at:


The problem was originally found by Carl Voth and
his write-up can be found at:


The New York Times also has a story about the problem
in today's paper.  The story is available online at:



PS.  The message is not bugged! ;-) 

POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/

----- End forwarded message -----