On the face of it, does email wiretapping sound scary? Yes? Yes
it is scary and you should now how it's done and how to combat
it.
A little while ago the known (but not known with a load presence)
organisation called "The US based Privacy Foundation" became
aware of a as un-yet widely known security hole in the latest
incarnations of email clients produced by Microsoft and Netscape.
The security loophole essentially allows the sender of an email
message to see what has been written when the message is
forwarded with comments to other recipients. This procedure has
been nickname "email wiretapping". As you can imagine this leads
to surreptitiously monitoring of written messages attached
and/or forwarded messages. Some not so pleasant uses involve:
1) In a sensitive business negotiation conducted via normal email,
one party can learn inside information from the other parties as
the proposal is discussed through the recipient company's
internal email system.
2) A seeded email message could capture thousands of email
addresses as the forwarded message is sent around the world.
Seeded with what? JavaScript is the answer and it can easily
hide in any HTML email. Of course the JavaScript capability has
to be enabled within the email client. Typical email readers with
JavaScript functionality include Outlook, Outlook Express, and
Netscape 6 Mail. Earlier versions of the Netscape mail readers
are not affected because they do not fully support all the
intricacies of JavaScript. Eudora and the AOL 6.0 series of email
readers are not affected because JavaScript is turned off by
default (but are vulnerable if turned on of course). Hotmail and
other web-based email systems automatically strip out JavaScript
programs from incoming email messages and therefore are not
vulnerable.
The loophole is made possible because JavaScript is able to read
text in an email message. If a message is forwarded to someone
else, the hidden JavaScript code can read any text that has been
added to the message when it is forwarded. This JavaScript code
executes when the forwarded message is read. The JavaScript code
then silently sends off this text using a hidden form to a web
server belonging to the original sender of the message. The
original sender can then retrieve the text at their convenience
and read it.
A "wiretapped" email message is difficult to detect. An
individual can avoid the email wiretap by turning off JavaScript
in the email reader. However, if the individual forwards the
message to someone who has JavaScript turned on, that
recipient's forwarded messages can still be" wiretapped".
Additionally, copying the original message into a new email,
rather than forwarding it, may not defeat the problem.
What can users can do?
It is possible to partially eliminate the email wiretapping
problem by turning off JavaScript in HTML email messages. You
can visit the home webpage for your appropriate browser package
if you are not sure on how to do this.
Switching off the JavaScript is only a partial solution because
a "wiretapped" message will still work if it is replied to, or
forwarded, to someone whose email program is vulnerable to the
malicious JavaScript. The best policy is some form of group or
corporate agreement on how to tackle this, especial where
commercially sensitive material is involved.
About the Author
Neville French
E-Inform is centred around email marketing, producing it's own
software products and resources + bespoke solutions for a
diverse range of clients.
http://www.1einform.com
