Slashdot Mirror
New E-Mail Vulnerability - Trust Your Neighbor?
Anonymous Coward writes: "According to this article in The New York Times (free registration required), a trick enables someone to essentially bug an e-mail message so that the spy would be privy to any comments that a recipient might add as the message is forwarded to others or sent back and forth. The vulnerability could facilitate the harvesting of e-mail addresses. Widely used e-mail programs that are vulnerable to the exploit (because they enable JavaScript) include Microsoft Outlook, Outlook Express and Netscape 6." A snippet from the article: "The potential for such e-mail spying was first discovered by Carl Voth, an engineer in British Columbia. 'What bothers me is that in this case, my vulnerability is a function of what you do,' Mr. Voth said. 'I can be careful, I can take every precaution, I can turn off JavaScript, and it doesn't matter. If my neighbor isn't diligent and I send him an e-mail, I'm still vulnerable.'" "The Privacy Foundation, an educational and research organization based in Denver, plans to publicize and demonstrate the technique today."
It's a way to confirm the reading of a message.
Fight Spammers!
In 20+ years of emailing, I have only come across one situation where I was even tempted to send or recieve anything remotely resembling HTML e-mail (namely 'rich text' color to clarify or emphasize variables or passages buried in group code) and even then I prefer MIME attachments.
Further, my primary mail program (Eudora 4.22) is set to "send plain text only" and "don't ask". If I reply to or forward an HTML e-mail, all HTML is stripped out *before* sending (I tested it with an array of HTML spam "from the wild")
This setting should be basic netiquette (for email programs so equipped - and the feature should be *expected* for e-mail programs) Alas, in a world where even the carriage return is considered a nicety, I don't hold out much hope.
If you don't can't send javascript, the recipient can't carelessly mishandle it.
{I welcome any INFORMED, TESTED observations on the deficiencies of this method. One can never be too paranoid)
Don't forget to disable HTML viewing of e-mail (Warning: often the provided check-box alone is not sufficient), and be stingy about what programs are permitted to access the usual HTTP ports. These are virtually painless security procedures. I can't recall ever being particularly inconvenienced by them.
There are already mail clients (Gnus for one) which parse informal markup - _underlining_, *bold*, /italic/ - delimited sigs and URLs in plain text messages without any of the bandwidth or security implications.
You can have your cake and eat it :)
>>>>truth; beauty; unix.<<<<
That's a rather tough assessment of Javascript. It certainly has its flaws, but on the other hand, it has made a lot of interactive Web-based applications possible that wouldn't have been doable otherwise.
Javascript has been standardised by ECMA for some time. There have been many security issues, but it's not clear that alternative technologies for doing the same things would have been safer.
As you no doubt know, the no registration version of the article is here.
That said, just as with web gnats/bugs, invisible GIFs, and suchlike, there are many ways to avoid this:
1. Use PINE. Who needs graphics anyway?
2. Turn off all Java, Javascript, etc and view all emails as Text. Then use the Copy and Paste functions to forward only the From:, Subject:, and Date: fields in the email along with the body of the text.
3. If you want to forward pictures or attachments, save them to a file, and convert any DOC or other embedded files to a non-embedded format such as ASCII Text. Then create an email and attach those new files instead.
4. Hunt down and launch boycotts and similar actions against the creators of these things. Show no mercy.
5. Send a copy of all such spam to all your legislators - municipal, county, state, federal, president/etc. Send it with the attachments and javascript. Include your name and adress in the forward so the spam software on their end will not put it in the spam box, and ask them what they will do about it. And send a copy to uce@ftc.gov for fun.
--- Will in Seattle - What are you doing to fight the War?
Surely the problem is not with HTML or Javascript in emails at all - its more to do with the fact that email browsers have a poor (if any) security model.
One of the good things about client-side Java (rather than Javascript) is that it runs in a sandbox with a well defined security model that doesn't allow, for instance, content to be uploaded from the client machine unless you specifically say that that's OK by jumping through various hoops.
The post refers to two problems: firstly, Javascript making a connection from a client machine when the client user doesn't want that to happen, and secondly, mailreaders allow modifications (such as adding content) to an HTML document, but do not distinguishing between the original copy and the modified one. (By warning of embedded Javascript, or content stripping, or whatever).
The problem is more to do with client browsers having a crap security model rather than the idea of having HTML or Javascript in an email in itself.
I guess that most people who read or post to slashdot are happy with being able to use markups in their posts so they can italicise or embolden things or add links. HTML in text is a Good Thing here, are emails that different?
Active content is another step along the way, but I can't see that it is a Bad Thing, if the security model is good. I don't know enough about Javascript to comment about whether this is possible. Any comments?
I do believe that I agree with you that everyone should stick to non-HTML mail, but one HTML capability should be in all mail forms, and that is HTML links. I can't tell you how many relatives that I have that couldn't possibly figure out how to copy and paste something into their browser. Links are a necessity, but lets get rid of javascript and images right now.
The DOM APIs are not "totally nonstandardized". In fact they have been standardized by the W3C. The APIs supported by Mozilla/Netscape6 are basicallly just a little less and a little more than W3C DOM2. Konqueror is catching up fast. Opera is lagging behind a bit but is basically on the same path.
Only Microsoft, and WinIE in particular, are deliberately avoiding proper support for the standard DOM. But the subset of the W3C DOM that works in IE 5.5 is actually quite large and very useful.
Here's a simple fix. Edit sendmail.cf.
Make a filter:
Any e-mail that comes to you with X-Mailer: Microsoft Outlook Express 5.50.4133.2400 or similar in the headers, gets relayed to /dev/null.
Soon, the Windows proles will realize that sending to you is fruitless and will eventually go away.
Okay, fine, it's not practical, but it would still be fun to do.
Or, you could use Outlook's many vulnerabilities to break into your boss's computer and change his Windows startup tune to this in order to prove the point.
He doesn't use Outcast any more. I consider that to be a victory.
Fire and Meat. Yummy.
rr
Quidquid latine dictum sit, altum videtur.
*THIS* type of vunerability is exactly one of the reasons that you should not be using HTML for email, particular with the email clients that use an embedded browser window to display the information. Because not only do you as a malicious email sender gain access to the bugs that arise from the email client itself (eg the ability to email everyone in the address book from a script), but bugs inherit from the browser.
The email RFC says to stick to plain text for all messages, and if you do that, the only bugs that you will encounter will be those that are from the mailers, and it will be very hard to trigger security problems such as this. You might complain about losing formatting and such, but that's also why the Rich Text format was developed; it carries enough of the HTML formatting that some need to emphasis email but none of the deadweight that can trigger security and privacy violations. Unfortunately, RTF wasn't highly accepted and after MS did a nice 'embrace and extend' of it, it was pretty much worthless.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
There's an option in Netscape to specifically turn off Javascript support for mail and news - under the Preferences->Advanced tab.
I've been using that as long as I can remember, mainly to prevent Usenet spam posts from launching browser windows and such. I guess now there's an even better reason for it.
Of course, for mail I use pine and tkrat in console and X respectively, so I dont really care much about this.
You live in a dull grey world.
I enjoy the soft glow of phosphorescent dots building the font's character.
I suspect you'd be happy in pre-reform Russia, where there was none of that annoying advertising or any bright colors on the street.
I suspect you live in Redmond, where Bill and his partners would never advertise you with any bright colors or loud music.
The Linux command prompt is a hairshirt of denial.
Whatever cranks your tractor.
It was the marketers. The engineers originally called it Livescript but the marketers wanted to capitalize on the Java hype.
Here is the login-free URL
That's why I can't see any HTML email. Oh sure, you could just ignore everyone that uses it, sorta like buying a Beta VCR and ignoring all those movies that come out on VHS.
Bah.
I use Pine on my Linux boxen and Eudora on my Windows boxen.
My main (and favorite) VCR is a Sony SL-HF500 Beta Hi-Fi.
I rent the new movies on DVD. If I like 'em, I toss a new cassette into the Beta, and hit record. ('Course, they're for personal use only, they may get two viewings before they hit the bulk-eraser.)
Cool thing about Beta, to liken it to e-mail clients, is that it's immune to video virii like Macrovision.
Fire and Meat. Yummy.
That is the unfortunate truth to security; things are only as secure as the weakest link. I would argue that until the current state of email clients, usages, and so forth changes; we should have zero expectation of privacy in email. I would love to think [P]GP[G] will change the world in email privacy, but I suspect that Joe User will just get their key stolen through a javascript hole in their web browser (AKA mail client).
Matt
Don't take life so seriously; it isn't permanent.
/"\
:)
\ /
X ASCII Ribbon Campaign - Say NO to HTML in email
/ \
Originally created in Brazil by Tony de Marco
Better viewed in plain text
AOL's email client is not OE. It has inferior capabilities. Although many in this discussion apparently think that is a good thing.
----
"Oh, bother," said Pooh, as he hid Piglet's mangled corpse.
I believe that any email that passes through webmail, or has html stripped by some email program like Eudora will be innoculated.
Add this to the list of things that web mail programs will have to check for though....
The few features of HTML which are actually useful in email are properly used by selecting the Text/Enriched MIME format, see RFC1896.
Some mail gateways discard HTML before forwarding messages - more of them should.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
[RE: the no-reg-required link for nytimes]
Does the DMCA not currently state that by violating an access control measure, or publishing information to violate an access control measure that you are commiting a felony and may be subject to jail time and large fines?
You might want to be careful about being so helpful in the future. Let this be a lesson to all of us. Do not use such links for in doing them, you may commit a crime.
-- This batch of insanity brought to you from the letter C and your favorite federal government.
This much has always been true in ANY private communication. The point of failure will always be what steps the recipient takes/doesn't take to protect that information. In order to communicate with another humna being, this risk is inherent.
Singing "Paranoia may destroy yaaa..."
---"What did I say that sounded like 'Tell me about your day?'"---
You don't need some technological trick to harvest emails. Just up a web page with an inane joke, animated gif, etc. and include a button that says, "Email to a Friend!". Voila! You've just harvested the email addresses of everyone who received an email from anyone who though the web page was even faintly amusing.
The only defence, until people start treating other peoples emails with more respect, is to keep two accounts. I personally only give out my work address, except to close and technically aware friends, at least then I get paid to read spam...
Waltz, nymph, for quick jigs vex Bud.
I think that HTML has its place in the email world, whether we like it or not. At work our help desk has to respond to emails from other internal departments where they are having trouble with something. And anyone who's tried to help out a friend who doesn't know too much about computers should realize that its incredibly hard to use the phone or even a text email to convey how to do things.
Even the syntax Start -> Settings -> Control Panel -> Display Properties confuses most of them. So the solution that works is to put screenshots to illustrate how to do it. There really isn't any more elegant way short of physically finding the caller and working at his/her desk.
So agreed, we open up the security can of worms when we allow HTML. Perhaps there are solutions... non-HTML ways? Or only allowing internal email html to access resources (images) on the internal network? But many workplaces have important uses for the extra features with HTML, so instead of choosing the easy way out, (abolish HTML) perhaps we can find a better solution, if only out of necessity.
As you acknowledge, "a great deal of the HTML features are utterly useless in a E-mail." So why not educate others of this fact, instead of chopping it down to a black-and-white issue of all HTML or none at all.
Most users are not stupid, merely ignorant of some details. There is a difference, and much of this ignorance is due to techies that can't clearly express themselves.
Absolutely correct. But the point is that they both blow goats when implemented in email clients. As Beavis and Butthead point out - "You can't polish a turd."
Actually, they both blow goats in web sites too, but that's not relevant to the bit about turd-polishing or lusers who don't know the difference between a web browser and an email client ;)
I agree with you this is a bug not a feature, however, if you were not prepared to offer a non-buggy way to make the users who expect this happy, that might legitimately have earned you such an epithet.
Face it, the typical e-mail user these days does expect some formatting capabilities. There is a way to do this without diving into html-hell. See this. The Text/Enriched MIME format was designed to provide formatting capabilities that many users desire without the never-ending problems entailed by using HTML out of place. The makers of Pegasus Mail have taken a very usable approach to satisfy users desires with the minimal messiness on the other end - HTML messages incoming can be parsed internally with a minimal module that only understand the most commonly used and innocous tags, handed off to an external browser for parsing, or simply stripped to text. Formatted messages are normally sent using Text/Enriched, RTF is also available as an option (very useful if you know the recipient to be on a windows box.) So the pmail users can receive these annoying things and read them fine, but when they forward/reply they don't perpetuate the madness.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
It would be a great idea of someone would write up a subset of HTML as an RFC that could be used simply for text formatting (STRONG, BLOCKQUOTE, etc. - maybe even TABLE) for email use (and I would image there are many other uses, as well).
A Primary design criteria is that the results should be human readable. e.g. formatting with hard returns and short tags...
I'm seriously plan to start using it Real Soon Now(TM), but getting rid of the current ones (and redoing all the subscriptions etc etc) will be a PITA. Yeah, I'm lazy. Sue me.
Can you supply any more details?
Who labelled the parent of this message insightful? RTFA!
I use Outlook Express (flame me later), I have disabled all scripting AND only reply or forward in plain text (OE can be setup to do this by default). This way there is no forwarding of any scripts. I'm sure Outlook can be configured the same.
Although I am too lazy to go find the article, I remember Slashdot reporting on this several months ago. If I remember correctly, ssn1 (formerly HackerNewsNetwork) first publicized the story. And excellent FAQ on Web Bugs is available at:
. html
http://www.privacyfoundation.org/education/webbug
Your neighbor could, of course, copy your message into another message with the Javascript.
Trust your spellchecker?
Gamingmuseum.com: Give your 3D accelerator a rest.
But you're only safe if everyone else uses Pine, and everything they know uses, etc. Just need one java-enabled mail program in the link and everything's compromised
Javascript isn't Java, they aren't even related in any way. Java is the architecture-neutral, object-oriented, portable, distributed, robust and secure programming language created by Sun Microsystems that can be used to create applets or standalone applications. Javascript is a scripting language originally designed for embedding in browsers which was created by Netscape in a braindead attempt to win the browser wars which instead fragmented the HTML and brought major insecurity to the web.
Finally I doubt that any email clients are actually Java enabled (i.e. can launch applets, etc).
Grabel's Law
forward this message to all your frends! Microsoft corp is going is conducting a test of email tracking software, will pay you $2500 for every message you forward. Intel, AOL, ICQ, and Disney corp are also somehow involved!
Heh, this I find interesting. I remember swareing up and down that getting a virus through email was imposible once, to.
ReadThe ReflectionEngine, a cyberpunk style n
...that Bill Gates can track how many people I forwarded that email to now? Gosh! I'm sure my check must be in the mail already.
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
But you're only safe if everyone else uses Pine, and everything they know uses, etc. Just need one java-enabled mail program in the link and everything's compromised.
--
All I have to say is that if you think Java is insecure
Java is rather secure as can be seen by reading any of the numerous articles on the web about it. Javascript on the other hand is a disaster which was foisted on us by Netscape and excarberated by Microsoft.
PS: You do realize that the NY Times article is discussing a Javascript exploit and not a Java one, right?
Grabel's Law
Eudora used to include the ability to generate formatted, but non-HTML, text. It included everything you mention, and did not include any networking-specific code. It failed (no one else started to use it, so it was Eudora-specific, and HTML mail became all the rage). It would be a great idea of someone would write up a subset of HTML as an RFC that could be used simply for text formatting (STRONG, BLOCKQUOTE, etc. - maybe even TABLE) for email use (and I would image there are many other uses, as well).
Text/enriched seems to cover this (RFC 1896), but that is Eudora's failed attempt.
I would look for most mailers to move to where they get rid of image-fetching and JavaScript.
- (c) 2018 Hank Zimmerman
In true open source style, the bug was fixed pretty quickly and recent versions are, AFAIK, safe.
--
I tend to find PINE preferable to most graphical e-mail clients anyway, of course. It's fast and easy to use, I can access it from anywhere, and it isn't prone to all these nasty e-mail viruses. And if I want to view that ugly 'enhanced' content that only spammers seem to send, a tap of the return key loads it into Lynx. :^)
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
----
Another reason HTML email is bad, besides: wasted bandwith and storage space, slow loading times, cruddy appearance in text interfaces, interference of ads in personal messages, tracking users' habits by matching email address to cookie, bad cross-platform compatibility, necessity of being connected to view it as intended, being filtered or bounced by no-HTML mail lists, etc., etc. It's not really that much of a surprise.
Wordnik, a dictionary project which aims to collect
This is going to further fuel the debate over whether or not email and news posting should consist of active (JavaScript, DHTML and so on) or passive (plain text, HTML) content. I suppose really it depends on what sort of person you are.
Whilst technically you can convey whatever information you want through the use of plain text (maybe using some *emphasis*) and attachments, for many this is a solution which is less convenient for them - it requires more clicks or keypresses to access, and doesn't present the information in quite such an integrated manner. And in the business world the phrase "time equals money" has been given the status of a law, with companies paying out huge sums of cash to time management consultants and the like. These people don't want any extra time or hassle in their emails, not when they're receiving well over a hundred every day.
For business types active content and embedded files mean more productivity and an easier email experiance. They're not concerned about privacy issues, and if they are then well, it's the job of the IT guys, right? So this sort of bug is inevitable - either you cripple active content - somthing that's too late to do - or you try and provide rock solid security - a challenge people seem only too willing to take on.
It all depends on a) your willingness to expose yourself to risk, and b) your desire for presentation and convenience. Seeing as the web has moved from text-based to graphics-based in the majority, I think the future of email is going to be the same, whether we like it or not.
I think that I should be worried or annoyed by this but I (we) are so used to security holes, lack of privacy online, and spam that the general level of interest I can come up with is pretty minimal. On the one hand, its pretty sad that there is so much of this stuff that we are desensitized to it; on the other hand, the Internet is still like the Wild West in a sense - its a frontier with the requisite frontier mentality. I'm sure this has been said elsewhere better than I am saying it, but I think that the dynamic of those pushing the boundaries with advances versus those who try to expolit those boundaries versus those that try and stop them creates a better future world. Those of us on the fringes may be the occasional casuality, but maybe, just maybe, its for the greater good...
There is no guarantee that the content has been read or understood.
Fight Spammers!
http://www.geocities.com/ResearchTriangle/Facility /8332/reaper-exploit-release.html
Thats why its imperative that people get back into the habit of *trimming their messages* instead of quoting absolutely everything they recieved.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
There was a buffer overflow in pine a while back which was potentially exploitable.
I use pine. You have my email address. Now try it.