E-Mail Vulnerable to Snoopers

By
<A HREF="mailto:sascha.i.segan@abcnews.com">Sascha Segan</A>
January 7, 2006, 7:41 AM ET
3 min read

Feb. 5, 2001 -- A feature in Microsoft's Outlook e-mail program may enable anyone to snoop on others' e-mail, a privacy advocate said today.

"We have nicknamed this problem 'e-mail wiretapping' because the exploit allows someone to surreptitiously monitor written messages attached to forwarded messages," Richard Smith, chief technology officer of Denver's Privacy Foundation, said in a "privacy advisory" on his group's Web site.

The problem affects HTML e-mail messages, which, unlike straight text messages, often have color and graphics as part of the message.

By attaching hidden Javascript code to an HTML e-mail, snoopers can ensure that a copy of the e-mail gets forwarded back to them every time it's replied to or forwarded along. So if you create "e-mail chains" — never starting a new letter, just hitting "reply" and letting the old text sit at the bottom of a message — the snooper will get a copy of every step of the chain.

This isn't a bug, Smith says. It's a feature in Javascript, a common Web programming language. Microsoft Outlook 98, Outlook 2000, Outlook Express 5 and the current version of Netscape 6 Mail all allow Javascript codes in e-mail messages by default. Other programs, such as Eudora, Outlook Express 5.5, AOL 6.0 and Netscape 4 Mail allow you to turn on Javascript in messages as an option, but they have Javascript turned off by default.

Anyone who uses an HTML-compatible mail program such as the above should check to see Javascript is turned off for mail messages, says Vincent Weafer, director of Symantec's Antivirus Research Center. (For details on how to do so, see the web links in the right-hand column of this story.)

"I think Javascript and active HTML content is just rife with all kinds of privacy problems," said Weld Pond, a security consultant with the firm @Stake. "The simple answer is just to turn it off. You can live without it."

Web-based e-mail systems like Hotmail and Yahoo! are not vulnerable to this problem.

Outlook’s Scripting Woes

This isn't the first time Outlook's scripting abilities have created security problems. Last year's "Love Bug" and 1999's Melissa worm both took advantage of a different scripting system, Visual Basic, to bend Outlook to their will.

Microsoft responded to those problems by developing a patch for Outlook that disables various scripting functions and makes it more secure. The latest version of Outlook Express also has Javascript turned off by default. (Though if someone with Javascript off forwards a "bugged" message to someone with Javascript on, the snooping code reawakens and moves into action.)

"This is not a new issue. The Microsoft Security Response Center thoroughly investigated it when it initially was reported over two years ago ... Customers who do not want [Javascript] functionality can disable it," Microsoft said in a statement.

But what's new about today's revelation, Weafer says, is that previous security alerts have focused on destructive viruses. This is the first to use e-mail scripting to invade people's privacy, he says.

"When you start talking about [threats to] privacy and confidentiality, it's certainly something people haven't quite associated with their e-mail systems," Weafer said.

Weld Pond agrees. Worms, viruses and security flaws such as this one should all be looked at from a privacy context, he said, because they can all be used to suck information out of your computer as well as to destroy data.

"Every security problem is a privacy problem," he said.