dcsimg
RealTime IT News

HTML E-mail Clients Susceptible to 'Wire-Tapping'

A two-and-a-half-year-old JavaScript exploit which utilizes the HTML e-mail features of Microsoft Outlook, Outlook Express and Netscape 6.0 Mail to "wire-tap" e-mail communications began raising the hackles of privacy advocates Monday.

The exploit was first discovered by British Columbia-based systems design engineer Carl Voth on Oct. 5, 1998. Voth dubbed it the Reaper Exploit but was unable to generate wide-scale attention for the exploit's potential abuses, which range from spying on businesses' negotiations to harvesting e-mail addresses from a chain letter to create a spammer list.

The exploit allows a savvy Internet user, with access to a Web server and logging services, to intercept replies and forwards of e-mail messages equipped with it.

For instance, a company entering negotiations with another company might embed the exploit in an e-mail proposal and then harvest inside information about that company's bargaining position by intercepting replies and forwards as the message is circulated through that company's internal e-mail system.

Reaper utilizes another exploit called a Web bug -- known to marketers as pixel tags. A Web bug makes use of HTML e-mail's ability to display images by attaching a zero by zero pixel image. When a person opens an e-mail embedded with a Web bug, the e-mail contacts the server where the "image" is located and the server then records when the recipient retrieves the image. p> Reaper adds another twist. It uses JavaScript to read the text of an e-mail and then send the content as a file name to the Web server.

"The JavaScript program takes the contents of the message and builds a URL out of it," said David Martin of the Department of Mathematics and Computer Science at the University of Denver Privacy Center, associated with The Privacy Foundation. "Then it goes to some predetermined Web server and says give me the page named [the URL]."

The server then copies down the name of the file requested, giving out the contents of the e-mail, and then sends back the zero by zero pixel image.

"E-mail is okay and JavaScript is basically okay, but when you put them together it allows this unforeseen way of using the two in combination to violate peoples' privacy," said Edward W. Felten, associate professor of the Department of Computer Science at Princeton University and head of the Secure Internet Programming Laboratory. "And similarly, a lot of these security and privacy problems that have been found in browsers and related programs have been of that type where there is a way to exploit a combination of features in an unforeseen way to cause trouble. The addition of features and the connection between features is a common trend in Internet software. This kind of interaction is something that we should worry more about as we go forward."

When he first discovered Reaper, Voth contacted Microsoft Corp., which at the time put out one of the only e-mail clients with HTML capabilities. Voth said two weeks later the company sent him a T-shirt with a message saying that customers can protect themselves by disabling JavaScript.

"I was pleased that they were acknowledging the problem but floored that they would give me this weak line of 'we made the tradeoff, it's up to the user now,'" Voth told InternetNews Radio Monday. "But that's the problem. It isn't up to the user. The user cannot protect himself. I can take extreme diligence on my part. I can secure my system to the hilt. I can cripple my e-mail browser so it won't run JavaScript -- and believe me I do. I can do all of that. But if some attacker sent me an e-mail, and then I forward it to you, and just prior to forwarding it to you I type in some piece of information that I think is only going to be for your eyes, and then I send it on to you and you open it, and if you haven't secured



×
We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.