find us on facebook!
 

Microsoft, Netscape Email Flaw Uncovered


February 7, 2001

A flaw has been uncovered in Microsoft's Outlook and Netscape's Mail email software, that allows senders to surreptitiously track when their messages are opened and whether they are forwarded to other recipients.

According to an alert by US organisation the Privacy Foundation, the snooping technology could be exploited if both sender and recipient are using either Microsoft Outlook, Outlook Express or Netscape 6 Mail.

The so-called 'wiretapping' flaw affects HTML-enabled mail readers with JavaScript activated by default. If messages with JavaScript are forwarded to others, the hidden code can read any text that has been added and sends this to a web server belonging to the original sender for retrieval.

The inclusion of JavaScript in messages also enables senders to be notified when emails are opened, explained researchers at the Privacy Foundation.

Richard Smith, technical director at the Foundation, said: "It underscores the systematic privacy vulnerabilities of the internet. The possibility of email wiretapping is one of the most egregious violations imaginable and therefore opens up a nefarious business opportunity that should be watched closely."

Officials at both Microsoft and Netscape acknowledged the existence of the flaw, but Netscape claimed that there have been no known instances of the security hole being exploited.

A Microsoft spokesman said the company released a patch for the flaw a year ago, while a Netscape spokeswoman said an update for Netscape 6 Mail would be available within the next few days. Users of Netscape Communicator are not at risk, she added.

The Foundation has also published details at its website of how to turn off JavaScript in emails, and has asked both Microsoft and Netscape to deactivate the code by default in all of their email reader products. According to the researchers, users of internet-based email services such as Hotmail, and systems from America Online and Eudora, are not affected.

Smith warned that the exploit could be used to "listen in" on internal company conversations as messages are passed between recipients, or to harvest thousands of email addresses as messages are forwarded around the world.

To see more of VNUNet go to http://www.vnunet.com

© 2001 VNU Business Online Limited (UK)


« Back to the news list

 
(c) EMMA Labs, 2016 | No Spam Policy