Slashdot Mirror

← Back to Stories (view on slashdot.org)

New E-Mail Vulnerability - Trust Your Neighbor?

Posted by timothy on from the never-trust-anyone-over-30-inches dept.

Anonymous Coward writes: "According to this article in The New York Times (free registration required), a trick enables someone to essentially bug an e-mail message so that the spy would be privy to any comments that a recipient might add as the message is forwarded to others or sent back and forth. The vulnerability could facilitate the harvesting of e-mail addresses. Widely used e-mail programs that are vulnerable to the exploit (because they enable JavaScript) include Microsoft Outlook, Outlook Express and Netscape 6." A snippet from the article: "The potential for such e-mail spying was first discovered by Carl Voth, an engineer in British Columbia. 'What bothers me is that in this case, my vulnerability is a function of what you do,' Mr. Voth said. 'I can be careful, I can take every precaution, I can turn off JavaScript, and it doesn't matter. If my neighbor isn't diligent and I send him an e-mail, I'm still vulnerable.'" "The Privacy Foundation, an educational and research organization based in Denver, plans to publicize and demonstrate the technique today."

7 of 186 comments (clear)

  1. Security models? by gattaca · · Score: 5

    Surely the problem is not with HTML or Javascript in emails at all - its more to do with the fact that email browsers have a poor (if any) security model.

    One of the good things about client-side Java (rather than Javascript) is that it runs in a sandbox with a well defined security model that doesn't allow, for instance, content to be uploaded from the client machine unless you specifically say that that's OK by jumping through various hoops.

    The post refers to two problems: firstly, Javascript making a connection from a client machine when the client user doesn't want that to happen, and secondly, mailreaders allow modifications (such as adding content) to an HTML document, but do not distinguishing between the original copy and the modified one. (By warning of embedded Javascript, or content stripping, or whatever).

    The problem is more to do with client browsers having a crap security model rather than the idea of having HTML or Javascript in an email in itself.
    I guess that most people who read or post to slashdot are happy with being able to use markups in their posts so they can italicise or embolden things or add links. HTML in text is a Good Thing here, are emails that different?

    Active content is another step along the way, but I can't see that it is a Bad Thing, if the security model is good. I don't know enough about Javascript to comment about whether this is possible. Any comments?

  2. Re:Another reason to stick to the RFC by Masem · · Score: 4
    Here's where you need to be careful.

    Let's say, in my HTML email with your client, I sent: <IMG SRC="mysecret.server.com/cgi/tracker.pl" HEIGHT=1 WIDTH=1> Where in the tracker.pl script, I just query the HTTP environment variables to tell what host the request came from and another other juicy details I might get, then return a 1x1 GIF image. There's no Javascript, and I don't need you to click on anything -- I just need you to open it and I can get information.

    HTML email is still very dangerous, and should be avoided.

    --
    "Pinky, you've left the lens cap of your mind on again." - P&TB
    "I can see my house from here!" - ST:
  3. Minor Nitpick by Carnage4Life · · Score: 4

    But you're only safe if everyone else uses Pine, and everything they know uses, etc. Just need one java-enabled mail program in the link and everything's compromised

    Javascript isn't Java, they aren't even related in any way. Java is the architecture-neutral, object-oriented, portable, distributed, robust and secure programming language created by Sun Microsystems that can be used to create applets or standalone applications. Javascript is a scripting language originally designed for embedding in browsers which was created by Netscape in a braindead attempt to win the browser wars which instead fragmented the HTML and brought major insecurity to the web.

    Finally I doubt that any email clients are actually Java enabled (i.e. can launch applets, etc).

    Grabel's Law

  4. So, does this means..... by carlos_benj · · Score: 5

    ...that Bill Gates can track how many people I forwarded that email to now? Gosh! I'm sure my check must be in the mail already.

    --

    --

    As a matter of fact, I am a lawyer. But I play an actor on TV.

  5. Java isn't Javascript by Carnage4Life · · Score: 4

    All I have to say is that if you think Java is insecure

    Java is rather secure as can be seen by reading any of the numerous articles on the web about it. Javascript on the other hand is a disaster which was foisted on us by Netscape and excarberated by Microsoft.

    PS: You do realize that the NY Times article is discussing a Javascript exploit and not a Java one, right?

    Grabel's Law

  6. "I can be careful, I'm still vulnerable." by MoNickels · · Score: 4

    Another reason HTML email is bad, besides: wasted bandwith and storage space, slow loading times, cruddy appearance in text interfaces, interference of ads in personal messages, tracking users' habits by matching email address to cookie, bad cross-platform compatibility, necessity of being connected to view it as intended, being filtered or bounced by no-HTML mail lists, etc., etc. It's not really that much of a surprise.

    --

    Wordnik, a dictionary project which aims to collect

  7. the point by www.sorehands.com · · Score: 4
    The point I was trying to make is that even with javascript turned off, the information is sent. The original piece gives the impression that if everyone turned off javascript, you'd be safe.

    --
    Fight Spammers!