Slashdot Mirror

← Back to Stories (view on slashdot.org)

New E-Mail Vulnerability - Trust Your Neighbor?

Posted by timothy on from the never-trust-anyone-over-30-inches dept.

Anonymous Coward writes: "According to this article in The New York Times (free registration required), a trick enables someone to essentially bug an e-mail message so that the spy would be privy to any comments that a recipient might add as the message is forwarded to others or sent back and forth. The vulnerability could facilitate the harvesting of e-mail addresses. Widely used e-mail programs that are vulnerable to the exploit (because they enable JavaScript) include Microsoft Outlook, Outlook Express and Netscape 6." A snippet from the article: "The potential for such e-mail spying was first discovered by Carl Voth, an engineer in British Columbia. 'What bothers me is that in this case, my vulnerability is a function of what you do,' Mr. Voth said. 'I can be careful, I can take every precaution, I can turn off JavaScript, and it doesn't matter. If my neighbor isn't diligent and I send him an e-mail, I'm still vulnerable.'" "The Privacy Foundation, an educational and research organization based in Denver, plans to publicize and demonstrate the technique today."

18 of 186 comments (clear)

  1. Wrong! by www.sorehands.com · · Score: 3
    SPAMMERS have been using html in emails. They setup an cgi script to pick up an email address from the message. That part of the caller passes the sent email to a script back on the server through an image call.

    It's a way to confirm the reading of a message.

    --
    Fight Spammers!
  2. Why plain text and copy are best by WillSeattle · · Score: 3

    As you no doubt know, the no registration version of the article is here.

    That said, just as with web gnats/bugs, invisible GIFs, and suchlike, there are many ways to avoid this:

    1. Use PINE. Who needs graphics anyway?
    2. Turn off all Java, Javascript, etc and view all emails as Text. Then use the Copy and Paste functions to forward only the From:, Subject:, and Date: fields in the email along with the body of the text.
    3. If you want to forward pictures or attachments, save them to a file, and convert any DOC or other embedded files to a non-embedded format such as ASCII Text. Then create an email and attach those new files instead.
    4. Hunt down and launch boycotts and similar actions against the creators of these things. Show no mercy.
    5. Send a copy of all such spam to all your legislators - municipal, county, state, federal, president/etc. Send it with the attachments and javascript. Include your name and adress in the forward so the spam software on their end will not put it in the spam box, and ask them what they will do about it. And send a copy to uce@ftc.gov for fun.

    --
    --- Will in Seattle - What are you doing to fight the War?
  3. Security models? by gattaca · · Score: 5

    Surely the problem is not with HTML or Javascript in emails at all - its more to do with the fact that email browsers have a poor (if any) security model.

    One of the good things about client-side Java (rather than Javascript) is that it runs in a sandbox with a well defined security model that doesn't allow, for instance, content to be uploaded from the client machine unless you specifically say that that's OK by jumping through various hoops.

    The post refers to two problems: firstly, Javascript making a connection from a client machine when the client user doesn't want that to happen, and secondly, mailreaders allow modifications (such as adding content) to an HTML document, but do not distinguishing between the original copy and the modified one. (By warning of embedded Javascript, or content stripping, or whatever).

    The problem is more to do with client browsers having a crap security model rather than the idea of having HTML or Javascript in an email in itself.
    I guess that most people who read or post to slashdot are happy with being able to use markups in their posts so they can italicise or embolden things or add links. HTML in text is a Good Thing here, are emails that different?

    Active content is another step along the way, but I can't see that it is a Bad Thing, if the security model is good. I don't know enough about Javascript to comment about whether this is possible. Any comments?

  4. Simple Fix: Edit sendmail.cf... by BigBlockMopar · · Score: 3

    Here's a simple fix. Edit sendmail.cf.

    Make a filter:

    Any e-mail that comes to you with X-Mailer: Microsoft Outlook Express 5.50.4133.2400 or similar in the headers, gets relayed to /dev/null.

    Soon, the Windows proles will realize that sending to you is fruitless and will eventually go away.

    Okay, fine, it's not practical, but it would still be fun to do.

    Or, you could use Outlook's many vulnerabilities to break into your boss's computer and change his Windows startup tune to this in order to prove the point.

    He doesn't use Outcast any more. I consider that to be a victory.

    --
    Fire and Meat. Yummy.
  5. Another reason to stick to the RFC by Masem · · Score: 3
    A few weeks back we had a discussion here about a new email client for Linux that was 'compatible' with LookOut, including support for HTML email. I posted a small rant on why that's not a feature, but a bug, and a few called me a ludite.

    *THIS* type of vunerability is exactly one of the reasons that you should not be using HTML for email, particular with the email clients that use an embedded browser window to display the information. Because not only do you as a malicious email sender gain access to the bugs that arise from the email client itself (eg the ability to email everyone in the address book from a script), but bugs inherit from the browser.

    The email RFC says to stick to plain text for all messages, and if you do that, the only bugs that you will encounter will be those that are from the mailers, and it will be very hard to trigger security problems such as this. You might complain about losing formatting and such, but that's also why the Rich Text format was developed; it carries enough of the HTML formatting that some need to emphasis email but none of the deadweight that can trigger security and privacy violations. Unfortunately, RTF wasn't highly accepted and after MS did a nice 'embrace and extend' of it, it was pretty much worthless.

    --
    "Pinky, you've left the lens cap of your mind on again." - P&TB
    "I can see my house from here!" - ST:
    1. Re:Another reason to stick to the RFC by Masem · · Score: 4
      Here's where you need to be careful.

      Let's say, in my HTML email with your client, I sent: <IMG SRC="mysecret.server.com/cgi/tracker.pl" HEIGHT=1 WIDTH=1> Where in the tracker.pl script, I just query the HTTP environment variables to tell what host the request came from and another other juicy details I might get, then return a 1x1 GIF image. There's no Javascript, and I don't need you to click on anything -- I just need you to open it and I can get information.

      HTML email is still very dangerous, and should be avoided.

      --
      "Pinky, you've left the lens cap of your mind on again." - P&TB
      "I can see my house from here!" - ST:
    2. Re:Another reason to stick to the RFC by roca · · Score: 3

      The RFCs do NOT say to "stick to plain text for all messages". There are a number of MIME RFCs that are explicitly designed to make it possible to send anything you want in email.

      HTML email may or may not be a good idea, but don't try invoking the RFCs to stamp it out, because they're not on your side.

  6. Enable Javascript for Mail and News by Phaid · · Score: 3

    There's an option in Netscape to specifically turn off Javascript support for mail and news - under the Preferences->Advanced tab.

    I've been using that as long as I can remember, mainly to prevent Usenet spam posts from launching browser windows and such. I guess now there's an even better reason for it.

    Of course, for mail I use pine and tkrat in console and X respectively, so I dont really care much about this.

  7. ASCII Ribbon Campaign - Say NO to HTML in email by Pac · · Score: 3

    /"\
    \ /
    X ASCII Ribbon Campaign - Say NO to HTML in email
    / \

    Originally created in Brazil by Tony de Marco
    Better viewed in plain text :)

  8. Re:That's Why..... by DeadSea · · Score: 3
    Hotmail is said to not be vulnerable. I belive that hotmail (and many other web based email providers) strip out all but some allowed subset of html (sort of like slashdots allowed html in comments.) I use Eudora and when I send a forwarded message it asks me if I want to send it plain or styled. I always select plain.

    I believe that any email that passes through webmail, or has html stripped by some email program like Eudora will be innoculated.

    Add this to the list of things that web mail programs will have to check for though....

  9. Minor Nitpick by Carnage4Life · · Score: 4

    But you're only safe if everyone else uses Pine, and everything they know uses, etc. Just need one java-enabled mail program in the link and everything's compromised

    Javascript isn't Java, they aren't even related in any way. Java is the architecture-neutral, object-oriented, portable, distributed, robust and secure programming language created by Sun Microsystems that can be used to create applets or standalone applications. Javascript is a scripting language originally designed for embedding in browsers which was created by Netscape in a braindead attempt to win the browser wars which instead fragmented the HTML and brought major insecurity to the web.

    Finally I doubt that any email clients are actually Java enabled (i.e. can launch applets, etc).

    Grabel's Law

  10. So, does this means..... by carlos_benj · · Score: 5

    ...that Bill Gates can track how many people I forwarded that email to now? Gosh! I'm sure my check must be in the mail already.

    --

    --

    As a matter of fact, I am a lawyer. But I play an actor on TV.

  11. Re:That's Why..... by nomadic · · Score: 3

    But you're only safe if everyone else uses Pine, and everything they know uses, etc. Just need one java-enabled mail program in the link and everything's compromised.
    --

  12. Java isn't Javascript by Carnage4Life · · Score: 4

    All I have to say is that if you think Java is insecure

    Java is rather secure as can be seen by reading any of the numerous articles on the web about it. Javascript on the other hand is a disaster which was foisted on us by Netscape and excarberated by Microsoft.

    PS: You do realize that the NY Times article is discussing a Javascript exploit and not a Java one, right?

    Grabel's Law

  13. "I can be careful, I'm still vulnerable." by MoNickels · · Score: 4

    Another reason HTML email is bad, besides: wasted bandwith and storage space, slow loading times, cruddy appearance in text interfaces, interference of ads in personal messages, tracking users' habits by matching email address to cookie, bad cross-platform compatibility, necessity of being connected to view it as intended, being filtered or bounced by no-HTML mail lists, etc., etc. It's not really that much of a surprise.

    --

    Wordnik, a dictionary project which aims to collect

  14. Active vs passive content in emails by sharkticon · · Score: 3

    This is going to further fuel the debate over whether or not email and news posting should consist of active (JavaScript, DHTML and so on) or passive (plain text, HTML) content. I suppose really it depends on what sort of person you are.

    Whilst technically you can convey whatever information you want through the use of plain text (maybe using some *emphasis*) and attachments, for many this is a solution which is less convenient for them - it requires more clicks or keypresses to access, and doesn't present the information in quite such an integrated manner. And in the business world the phrase "time equals money" has been given the status of a law, with companies paying out huge sums of cash to time management consultants and the like. These people don't want any extra time or hassle in their emails, not when they're receiving well over a hundred every day.

    For business types active content and embedded files mean more productivity and an easier email experiance. They're not concerned about privacy issues, and if they are then well, it's the job of the IT guys, right? So this sort of bug is inevitable - either you cripple active content - somthing that's too late to do - or you try and provide rock solid security - a challenge people seem only too willing to take on.

    It all depends on a) your willingness to expose yourself to risk, and b) your desire for presentation and convenience. Seeing as the web has moved from text-based to graphics-based in the majority, I think the future of email is going to be the same, whether we like it or not.

    --

  15. Re:Security by jovlinger · · Score: 3

    This is why PGP has the option to mark a message as decryptable to screen only. While you are [always] completely hosed if your recipient is malicious, this sort of annotation will make it harder for recipients downstream to compromise you if they are merely lacking in clue.

    The lesson is that active documents are a bad idea, unless they have extremely well thought out security infrastructures. Does anyone have pointers to such infrastructures?

    Let me also ask my standard question that I've been asking since I first heard of web-bugs: how come there isn't a standard for sending out self contained html document clusters -- several linked pages, with all the graphics and files they need to be viewed? You could then use the standard "you are about to view and insecure page" when you click on any external links they might have.

  16. the point by www.sorehands.com · · Score: 4
    The point I was trying to make is that even with javascript turned off, the information is sent. The original piece gives the impression that if everyone turned off javascript, you'd be safe.

    --
    Fight Spammers!