HTML E-mail Clients Susceptible to ‘Wire-Tapping’

A two-and-a-half-year-old JavaScript exploit which utilizes the HTML e-mail features of Microsoft Outlook, Outlook Express and Netscape 6.0 Mail to “wire-tap” e-mail communications began raising the hackles of privacy advocates Monday.

The exploit was first discovered by British Columbia-based systems design engineer Carl Voth on Oct. 5, 1998. Voth dubbed it the Reaper Exploit but was unable to generate wide-scale attention for the exploit’s potential abuses, which range from spying on businesses’ negotiations to harvesting e-mail addresses from a chain letter to create a spammer list.

The exploit allows a savvy Internet user, with access to a Web server and logging services, to intercept replies and forwards of e-mail messages equipped with it.

For instance, a company entering negotiations with another company might embed the exploit in an e-mail proposal and then harvest inside information about that company’s bargaining position by intercepting replies and forwards as the message is circulated through that company’s internal e-mail system.

Reaper utilizes another exploit called a Web bug — known to marketers as pixel tags. A Web bug makes use of HTML e-mail’s ability to display images by attaching a zero by zero pixel image. When a person opens an e-mail embedded with a Web bug, the e-mail contacts the server where the “image” is located and the server then records when the recipient retrieves the image.
Reaper adds another twist. It uses JavaScript to read the text of an e-mail and then send the content as a file name to the Web server.

“The JavaScript program takes the contents of the message and builds a URL out of it,” said David Martin of the Department of Mathematics and Computer Science at the University of Denver Privacy Center, associated with The Privacy Foundation. “Then it goes to some predetermined Web server and says give me the page named [the URL].”

The server then copies down the name of the file requested, giving out the contents of the e-mail, and then sends back the zero by zero pixel image.

“E-mail is okay and JavaScript is basically okay, but when you put them together it allows this unforeseen way of using the two in combination to violate peoples’ privacy,” said Edward W. Felten, associate professor of the Department of Computer Science at Princeton University and head of the Secure Internet Programming Laboratory. “And similarly, a lot of these security and privacy problems that have been found in browsers and related programs have been of that type where there is a way to exploit a combination of features in an unforeseen way to cause trouble. The addition of features and the connection between features is a common trend in Internet software. This kind of interaction is something that we should worry more about as we go forward.”

When he first discovered Reaper, Voth contacted Microsoft Corp., which at the time put out one of the only e-mail clients with HTML capabilities. Voth said two weeks later the company sent him a T-shirt with a message saying that customers can protect themselves by disabling JavaScript.

“I was pleased that they were acknowledging the problem but floored that they would give me this weak line of ‘we made the tradeoff, it’s up to the user now,'” Voth told InternetNews Radio Monday. “But that’s the problem. It isn’t up to the user. The user cannot protect himself. I can take extreme diligence on my part. I can secure my system to the hilt. I can cripple my e-mail browser so it won’t run JavaScript — and believe me I do. I can do all of that. But if some attacker sent me an e-mail, and then I forward it to you, and just prior to forwarding it to you I type in some piece of information that I think is only going to be for your eyes, and then I send it on to you and you open it, and if you haven’t secured

your browser…as soon as you open it that attacker has my information. My vulnerability is entirely dependent on how diligent you are.”

Voth eventually turned to Richard Smith, chief technology officer of The Privacy Foundation and the person who first exposed the Web bug exploit, to get the word out.

“This is an old issue,” Smith told InternetNews Radio Monday. “It’s three years old. It’s had very low visibility. Microsoft didn’t fix it. They continue to ship e-mail readers with the problem with no indications that they want to do anything about it.”

Since Voth first discovered Reaper, other e-mail clients like Eudora and Netscape have added HTML capabilities. Eudora and AOL 6.0’s e-mail readers ship with JavaScript turned off by default, but if it is turned on those clients too would presumably be susceptible. In any case, they are still capable of passing the Reaper exploit along.

“No e-mail client should ever run executable content in an e-mail message,” Voth said. “I can’t think of a single good, practical reason as to why that would be necessary anyway…No e-mail client should ever forward a message with executable content that was not put there by the guy who’s doing the forwarding.”

Web-based e-mail systems like Hotmail are not susceptible because they automatically strip JavaScript programs from incoming mail.

News Around the Web