A reason not to use browsers for e-mail - e-mail
wiretapping (fwd)
Andrew Cormack
Andrew.Cormack at ukerna.ac.uk
Wed, 07 Feb 2001 18:06:51 +0000
Sounds plausible. JavaScript has a lot of functionality and no security. If
it does work, then plenty of "real" mail clients are likely to be affected
as well as web browsers, if they have scripting enabled. Turning off
scripting (or using an MUA which doesn't have it) is a really good idea.
Andrew
At 13:51 07/02/01 +0000, you wrote:
>If there is real substance in this then to deploy it in the UK would seem
>to be a breach of both the Computer Misuse Act and RIPA.
>
>The Privacy Foundation URL is worth a read. The exploit is not a bug but
>its consequences are nasty indeed.
>
>Quentin
>--
>PHONE: +44 191 222 8209 Computing Service, University of Newcastle
>FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU.
>-------------------------------------------------------------------------
>"Any opinions expressed above are mine. The University can get its own."
>
>---------- Forwarded message ----------
>>The Privacy Foundation has issued a privacy advisory today
>>describing a serious problem with the Outlook, Outlook Express,
>>and Netscape 6 email readers. By adding a small bit
>>of JavaScript code to an HTML email message, the sender
>>of a message can listen in on comments added to the
>>message whenever the message is forwarded to anyone else
>>by the original receiver of the message.
>>
>>We have nicknamed the problem "email wiretapping". The exploit
>>is not based on any security hole, but uses standard,
>>documented features of JavaScript to read the contents
>>of a email message. A Web bug or hidden form can
>>be used to transmit the contents of the message back to
>>the sender. The JavaScript code is copied each time
>>the message is forwarded or replied to by vulnerable
>>email readers.
>>
>>Some of the possible uses of the exploit include:
>>
>> - In a negotiation conducted by email, one side can
>> learn the bargaining position of the other side
>> - To extract off-the-record remarks from governmental
>> or company officials
>> - To harvest email addresses as a chain letter
>> is being circulated.
>>
>>The complete advisory can be found at:
>>
>>http://www.privacyfoundation.org/advisories/advemailwiretap.html
>>
>>The problem was originally found by Carl Voth and
>>his write-up can be found at:
>>
>>http://www.geocities.com/ResearchTriangle/Facility/8332/reaper-exploit-relea
>>se.html
>>
>>The New York Times also has a story about the problem
>>in today's paper. The story is available online at:
>>
>>http://www.nytimes.com/2001/02/05/technology/05JAVA.html
>
>
>
--------------------------------------------------------------
Andrew Cormack
Head of CERT
UKERNA, Atlas Centre, Chilton, Didcot, Oxon. OX11 0QS
Phone: 01235 822 302 E-mail: Andrew.Cormack@ukerna.ac.uk
Fax: 01235 822 398