Imagine a world where your email could be bugged, your every forwarded word spied upon. Welcome to that world. Email can be wiretapped, forwarded text can be retrieved, and it can be used against you.

Through the use of standard, documented JavaScript, when an email message is forwarded any text added to the message can be read and surreptitiously sent to the original sender's web server. In its most "benign" form, such tactics could be used to harvest email addresses for mailing list purposes. At its most malignant, confidential information can be obtained and used against the unwitting victims. In no case, is it ethical, or even legal, to perform such wiretapping.

If the wiretapping was embedded in one of the prevalent hoaxes or joke emails that are routinely forwarded, potentially thousands of email addresses could be harvested in a single day. Ironically, there are hoaxes alleging email tracking and cash payoffs by well-known vendors. To date, the standard response to senders of such hoaxes was that email tracking was impossible. Truth is, as they say, stranger than fiction.

According to Julia Scheeres, reporter for Wired News, the vulnerability was discovered by Carl Roth in 1998 but despite his repeated efforts to report it, not acknowledged by the security industry and Privacy Foundation until recently. Julia's article, Friends Don't E-Mail Friends HTML, discusses the hurdles Carl was forced to overcome before the exploit would be given due attention. Now that it has, both Microsoft and Netscape recommend disabling JavaScript in email until a patch can be released to address the wiretapping potential.

While disabling JavaScript protects the recipient, when the email is again forwarded on to a user who does not have JavaScript disabled, the wiretap reactivates and any new text is sent to the originator's web server.

Microsoft Outlook, Outlook Express, and Netscape 6 mail are vulnerable, as are any other HTML-enabled email readers with JavaScript enabled. Web-based email systems such as those offered by Yahoo! and Hotmail are not vulnerable as they automatically strip JavaScript from incoming email messages.

The Email Help Center contains detailed instructions for disabling JavaScript in Microsoft Outlook, Outlook Express, and Netscape.

Microsoft Outlook® 98 and 2000 users have the option of installing the same patch made available by Microsoft after the LoveLetter epidemic. However, the patch has been determined to possibly conflict with certain third-party applications and remove functionality from Outlook. Anyone desiring to download the patch should first thoroughly read and understand the details of the patch: http://office.microsoft.com/2000/downloaddetails/Out2ksec.htm.

Previous Articles