E-Mail Vulnerable to Snoopers

Feb. 5 -- A feature in Microsoft's Outlook e-mail program may enable anyone to snoop on others' e-mail, a privacy advocate said today.

"We have nicknamed this problem 'e-mail wiretapping' because the exploit allows someone to surreptitiously monitor written messages attached to forwarded messages," Richard Smith, chief technology officer of Denver's Privacy Foundation, said in a "privacy advisory" on his group's Web site.

The problem affects HTML e-mail messages, which, unlike straight text messages, often have color and graphics as part of the message.

By attaching hidden Javascript code to an HTML e-mail, snoopers can ensure that a copy of the e-mail gets forwarded back to them every time it's replied to or forwarded along. So if you create "e-mail chains" — never starting a new letter, just hitting "reply" and letting the old text sit at the bottom of a message — the snooper will get a copy of every step of the chain.

This isn't a bug, Smith says. It's a feature in Javascript, a common Web programming language. Microsoft Outlook 98, Outlook 2000, Outlook Express 5 and the current version of Netscape 6 Mail all allow Javascript codes in e-mail messages by default. Other programs, such as Eudora, Outlook Express 5.5, AOL 6.0 and Netscape 4 Mail allow you to turn on Javascript in messages as an option, but they have Javascript turned off by default.

Anyone who uses an HTML-compatible mail program such as the above should check to see Javascript is turned off for mail messages, says Vincent Weafer, director of Symantec's Antivirus Research Center. (For details on how to do so, see the web links in the right-hand column of this story.)

"I think Javascript and active HTML content is just rife with all kinds of privacy problems," said Weld Pond, a security consultant with the firm @Stake. "The simple answer is just to turn it off. You can live without it."

Web-based e-mail systems like Hotmail and Yahoo! are not vulnerable to this problem.

Outlook’s Scripting Woes