Slashdot Mirror

← Back to Stories (view on slashdot.org)

New E-Mail Vulnerability - Trust Your Neighbor?

Posted by timothy on from the never-trust-anyone-over-30-inches dept.

Anonymous Coward writes: "According to this article in The New York Times (free registration required), a trick enables someone to essentially bug an e-mail message so that the spy would be privy to any comments that a recipient might add as the message is forwarded to others or sent back and forth. The vulnerability could facilitate the harvesting of e-mail addresses. Widely used e-mail programs that are vulnerable to the exploit (because they enable JavaScript) include Microsoft Outlook, Outlook Express and Netscape 6." A snippet from the article: "The potential for such e-mail spying was first discovered by Carl Voth, an engineer in British Columbia. 'What bothers me is that in this case, my vulnerability is a function of what you do,' Mr. Voth said. 'I can be careful, I can take every precaution, I can turn off JavaScript, and it doesn't matter. If my neighbor isn't diligent and I send him an e-mail, I'm still vulnerable.'" "The Privacy Foundation, an educational and research organization based in Denver, plans to publicize and demonstrate the technique today."

2 of 186 comments (clear)

  1. Security models? by gattaca · · Score: 5

    Surely the problem is not with HTML or Javascript in emails at all - its more to do with the fact that email browsers have a poor (if any) security model.

    One of the good things about client-side Java (rather than Javascript) is that it runs in a sandbox with a well defined security model that doesn't allow, for instance, content to be uploaded from the client machine unless you specifically say that that's OK by jumping through various hoops.

    The post refers to two problems: firstly, Javascript making a connection from a client machine when the client user doesn't want that to happen, and secondly, mailreaders allow modifications (such as adding content) to an HTML document, but do not distinguishing between the original copy and the modified one. (By warning of embedded Javascript, or content stripping, or whatever).

    The problem is more to do with client browsers having a crap security model rather than the idea of having HTML or Javascript in an email in itself.
    I guess that most people who read or post to slashdot are happy with being able to use markups in their posts so they can italicise or embolden things or add links. HTML in text is a Good Thing here, are emails that different?

    Active content is another step along the way, but I can't see that it is a Bad Thing, if the security model is good. I don't know enough about Javascript to comment about whether this is possible. Any comments?

  2. So, does this means..... by carlos_benj · · Score: 5

    ...that Bill Gates can track how many people I forwarded that email to now? Gosh! I'm sure my check must be in the mail already.

    --

    --

    As a matter of fact, I am a lawyer. But I play an actor on TV.