| > | | | | web-based email systems automatically strip out |
| On the face of it, does email wiretapping sound | | | | JavaScriptprograms from incoming email messages |
| scary? Yes? Yesit is scary and you should now how | | | | and therefore are notvulnerable. |
| it's done and how to combatit. | | | | The loophole is made possible because JavaScript is |
| A little while ago the known (but not known with a | | | | able to readtext in an email message. If a message is |
| load presence)organisation called "The US based | | | | forwarded to someoneelse, the hidden JavaScript |
| Privacy Foundation" becameaware of a as un-yet | | | | code can read any text that has beenadded to the |
| widely known security hole in the latestincarnations | | | | message when it is forwarded. This JavaScript |
| of email clients produced by Microsoft and Netscape. | | | | codeexecutes when the forwarded message is read. |
| The security loophole essentially allows the sender of | | | | The JavaScript codethen silently sends off this text |
| an emailmessage to see what has been written | | | | using a hidden form to a webserver belonging to the |
| when the message isforwarded with comments to | | | | original sender of the message. Theoriginal sender can |
| other recipients. This procedure hasbeen nickname | | | | then retrieve the text at their convenienceand read |
| "email wiretapping". As you can imagine this leadsto | | | | it. |
| surreptitiously monitoring of written messages | | | | A "wiretapped" email message is difficult to detect. |
| attachedand/or forwarded messages. Some not so | | | | Anindividual can avoid the email wiretap by turning off |
| pleasant uses involve: | | | | JavaScriptin the email reader. However, if the |
| 1) In a sensitive business negotiation conducted via | | | | individual forwards themessage to someone who has |
| normal email,one party can learn inside information | | | | JavaScript turned on, thatrecipient's forwarded |
| from the other parties asthe proposal is discussed | | | | messages can still be" wiretapped". |
| through the recipient company'sinternal email system. | | | | Additionally, copying the original message into a new |
| 2) A seeded email message could capture thousands | | | | email,rather than forwarding it, may not defeat the |
| of emailaddresses as the forwarded message is sent | | | | problem. |
| around the world. | | | | What can users can do? |
| Seeded with what? JavaScript is the answer and it | | | | It is possible to partially eliminate the email |
| can easilyhide in any HTML email. Of course the | | | | wiretappingproblem by turning off JavaScript in HTML |
| JavaScript capability hasto be enabled within the email | | | | email messages. Youcan visit the home webpage for |
| client. Typical email readers with | | | | your appropriate browser packageif you are not sure |
| JavaScript functionality include Outlook, Outlook | | | | on how to do this. |
| Express, and | | | | Switching off the JavaScript is only a partial solution |
| Netscape 6 Mail. Earlier versions of the Netscape mail | | | | becausea "wiretapped" message will still work if it is |
| readersare not affected because they do not fully | | | | replied to, orforwarded, to someone whose email |
| support all theintricacies of JavaScript. Eudora and the | | | | program is vulnerable to themalicious JavaScript. The |
| AOL 6.0 series of emailreaders are not affected | | | | best policy is some form of group orcorporate |
| because JavaScript is turned off bydefault (but are | | | | agreement on how to tackle this, especial |
| vulnerable if turned on of course). Hotmail andother | | | | wherecommercially sensitive material is involved. |