The exploit was first discovered by British Columbia-based systems design engineer Carl Voth on Oct. 5, 1998. Voth dubbed it the Reaper Exploit but was unable to generate wide-scale attention for the exploit’s potential abuses, which range from spying on businesses’ negotiations to harvesting e-mail addresses from a chain letter to create a spammer list.
The exploit allows a savvy Internet user, with access to a Web server and logging services, to intercept replies and forwards of e-mail messages equipped with it.
For instance, a company entering negotiations with another company might embed the exploit in an e-mail proposal and then harvest inside information about that company’s bargaining position by intercepting replies and forwards as the message is circulated through that company’s internal e-mail system.
Reaper utilizes another exploit called a Web bug — known to marketers as pixel tags. A Web bug makes use of HTML e-mail’s ability to display images by attaching a zero by zero pixel image. When a person opens an e-mail embedded with a Web bug, the e-mail contacts the server where the “image” is located and the server then records when the recipient retrieves the image.
The server then copies down the name of the file requested, giving out the contents of the e-mail, and then sends back the zero by zero pixel image.
your browser…as soon as you open it that attacker has my information. My vulnerability is entirely dependent on how diligent you are.”
Voth eventually turned to Richard Smith, chief technology officer of The Privacy Foundation and the person who first exposed the Web bug exploit, to get the word out.
“This is an old issue,” Smith told InternetNews Radio Monday. “It’s three years old. It’s had very low visibility. Microsoft didn’t fix it. They continue to ship e-mail readers with the problem with no indications that they want to do anything about it.”
“No e-mail client should ever run executable content in an e-mail message,” Voth said. “I can’t think of a single good, practical reason as to why that would be necessary anyway…No e-mail client should ever forward a message with executable content that was not put there by the guy who’s doing the forwarding.”