HTML e-mail open to 'wiretaps'

March 14, 2001 —

An Internet privacy group warned last week that HTML e-mail can be rigged so that the sender can see whatever recipients write when forwarding the message to others.

This capability, likened by The Privacy Foundation to a wiretap, affects HTML e-mail programs that run JavaScript, a widely used scripting language for Web pages. These programs include Microsoft Outlook 2000, Outlook Express 5.0 and Netscape Messenger 6.0.

Users can protect themselves by shutting off JavaScript in their e-mail readers. But the embedded JavaScript "wiretap" in a message can still work if the message is forwarded to someone who has JavaScript turned on.

Richard Smith, CTO for the Denver privacy group, uncovered the vulnerability while conducting Web research. He credits programmer Carl Voth with first documenting the ability of JavaScript to intercept e-mail text in 1998.

The group has called for Microsoft and others to rework their programs so that JavaScript is off unless a user turns it on.

The complete report is available here.

Network World