E-mail wiretapping exposes forwarded messages

February 5, 2001

Privacy experts said Monday that they have discovered a security glitch that allows an e-mail author to read private comments attached to the original message as it gets forwarded to new recipients.

The Denver-based Privacy Foundation has nicknamed the problem "e-mail wiretapping." The watchdog group posted an advisory about the exploit Monday.

The eavesdropping glitch affects so-called HTML-enabled e-mail clients, which allow messages to appear--much like Web pages--with graphics and hyperlinks.

The vulnerability is the latest in a history of security holes involving the use of Web scripting languages to circumvent browsers' security restrictions. One of the most widely used scripting languages, which let Web sites execute one or more actions on visitors' computers, is JavaScript.

"Ever since software makers have followed the trend in allowing HTML to be embedded in e-mail, a number of security holes have been opened up," said Elias Levy, a security expert at Security Focus. "This is yet another example of where JavaScript can be executed when an HTML e-mail is opened, allowing someone to look over an e-mail as it is responded to or sent back and forth."

In the latest vulnerability, privacy experts found that by including JavaScript code in any e-mail, the original author could access forwarded versions of the message. The exploit uses standard JavaScript features and is not a bug within JavaScript.

E-mail customers affected include people who use Microsoft's Outlook, its Outlook Express or AOL Time Warner's Netscape 6 Mail, according to the Privacy Foundation advisory.

"There are no known instances of this exploit. The work-around for users is to disable JavaScript in mail," said Catherine Corre, a Netscape spokeswoman, who said the company will post a fix shortly.

"Netscape takes all privacy issues seriously," she added.

Earlier versions of Netscape aren't affected because they do not support the capabilities of the JavaScript DOM (Document Object Model). In addition, Qualcomm's Eudora and AOL 6.0 are not affected because JavaScript is turned off by default in those programs. Hotmail and other Web-based e-mail systems automatically remove JavaScript programs from incoming messages.

As demonstrated in the Privacy Foundation advisory, there are two ways someone could read the tapped e-mail content. Through one method, JavaScript places the content into a hidden form on the message and then sends it to a remote server.

The message content could also be sent to a spying reader using invisible tags, sometimes called "Web bugs." A Web bug is a hidden image used to transmit information from a browser back to a Web server being used by the spying reader. This method is not easily detectable.

"This is a pretty significant problem," said Richard Smith, chief technology officer at the Privacy Foundation and author of the advisory. "People wouldn't normally send a virus in their e-mail to other people. But human beings do like to snoop. If a company offered this as a type of service, we think a lot of users would want to use it."

Smith said his group has been putting pressure on software makers such as Microsoft and AOL Time Warner to leave JavaScript out of their e-mail products.

"There has been one problem after another with JavaScript," he said. "We've tried to tell them to take it out, but they haven't" done anything.

Because of the e-mail wiretapping problem and other security holes, the Privacy Foundation recommends that customers turn off JavaScript if they use e-mail software that supports HTML-enabled messages. The watchdog group has step-by-step instructions for this task on its Web site.