A reason not to use browsers for e-mail - e-mail wiretapping (fwd)

Quentin Campbell Q.G.Campbell at newcastle.ac.uk
Wed, 7 Feb 2001 13:51:44 +0000 (GMT) 

If there is real substance in this then to deploy it in the UK would seem
to be a breach of both the Computer Misuse Act and RIPA.

The Privacy Foundation URL is worth a read. The exploit is not a bug but
its consequences are nasty indeed.
 
Quentin
--
PHONE: +44 191 222 8209     Computing Service, University of Newcastle
FAX:   +44 191 222 8765     Newcastle upon Tyne, United Kingdom, NE1 7RU.
-------------------------------------------------------------------------
"Any opinions expressed above are mine. The University can get its own."

---------- Forwarded message ----------
>The Privacy Foundation has issued a privacy advisory today
>describing a serious problem with the Outlook, Outlook Express,
>and Netscape 6 email readers.  By adding a small bit
>of JavaScript code to an HTML email message, the sender
>of a message can listen in on comments added to the
>message whenever the message is forwarded to anyone else
>by the original receiver of the message.
>
>We have nicknamed the problem "email wiretapping".  The exploit
>is not based on any security hole, but uses standard,
>documented features of JavaScript to read the contents
>of a email message.  A Web bug or hidden form can
>be used to transmit the contents of the message back to
>the sender.  The JavaScript code is copied each time
>the message is forwarded or replied to by vulnerable
>email readers.
>
>Some of the possible uses of the exploit include:
>
>    - In a negotiation conducted by email, one side can
>      learn the bargaining position of the other side
>    - To extract off-the-record remarks from governmental
>      or company officials
>    - To harvest email addresses as a chain letter
>      is being circulated.
>
>The complete advisory can be found at:
>
>http://www.privacyfoundation.org/advisories/advemailwiretap.html
>
>The problem was originally found by Carl Voth and
>his write-up can be found at:
>
>http://www.geocities.com/ResearchTriangle/Facility/8332/reaper-exploit-relea
>se.html
>
>The New York Times also has a story about the problem
>in today's paper.  The story is available online at:
>
>http://www.nytimes.com/2001/02/05/technology/05JAVA.html