[LWN Logo]
[Timeline]
Date: Mon, 05 Feb 2001 10:55:49 -0500
To: politech@politechbot.com
From: Declan McCullagh <declan@well.com>
Subject: FC: If you forward HTML email, it could be eavesdropped
X-URL: Politech is at http://www.politechbot.com/
X-Author: Declan McCullagh is at http://www.mccullagh.org/

"Email wiretapping" seems a little overblown, but this is bad news.

The new netiquette:
1. Friends don't send friends HTML email
2. Friends don't accept HTML email from friends
3. Friends don't let friends use Outlook or Navigator to read email
4. If you or a friend must break the above three rules, then disable Javascript
5. If you or a friend must break the above four rules, remove Javascript 
code from the HTML emil you forward (ask a geek for help)

- -Declan

**********

From: "Richard M. Smith" <rms@privacyfoundation.org>
To: "Declan McCullagh" <declan@well.com>
Subject: Privacy advisory on email wiretapping
Date: Mon, 5 Feb 2001 08:00:55 -0500

Hello,

The Privacy Foundation has issued a privacy advisory today
describing a serious problem with the Outlook, Outlook Express,
and Netscape 6 email readers.  By adding a small bit
of JavaScript code to an HTML email message, the sender
of a message can listen in on comments added to the
message whenever the message is forwarded to anyone else
by the original receiver of the message.

We have nicknamed the problem "email wiretapping".  The exploit
is not based on any security hole, but uses standard,
documented features of JavaScript to read the contents
of a email message.  A Web bug or hidden form can
be used to transmit the contents of the message back to
the sender.  The JavaScript code is copied each time
the message is forwarded or replied to by vulnerable
email readers.

Some of the possible uses of the exploit include:

   - In a negotiation conducted by email, one side can
     learn the bargaining position of the other side
   - To extract off-the-record remarks from governmental
     or company officials
   - To harvest email addresses as a chain letter
     is being circulated.

The complete advisory can be found at:

http://www.privacyfoundation.org/advisories/advemailwiretap.html

The problem was originally found by Carl Voth and
his write-up can be found at:

http://www.geocities.com/ResearchTriangle/Facility/8332/reaper-exploit-relea
se.html

The New York Times also has a story about the problem
in today's paper.  The story is available online at:

http://www.nytimes.com/2001/02/05/technology/05JAVA.html

Richard

PS.  The message is not bugged! ;-) 




- -------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
- -------------------------------------------------------------------------