Navbar

  Elite Fitness Bodybuilding, Anabolics, Diet, Life Extension, Wellness, Supplements, and Training Boards
  Chat & Conversation
  * Yes, Email can be wiretapped, and easier than you think

Post New Topic  
profile | register | preferences | faq | search

Author Topic:   * Yes, Email can be wiretapped, and easier than you think
JohnnyO

Moderator

Posts: 4259
From:Houston, TX, USA
Registered: Apr 2000

posted February 11, 2001 07:29 AM

Staff Use Only: IP: Logged
The Privacy Foundation has recently learned of a security exploit that allows the sender of an email message to see what has been written when the message is forwarded with comments to other recipients. They nicknamed this problem "email wiretapping" because the exploit allows someone to surreptitiously monitor written messages attached to forwarded messages. It could even be offered as a 'marketing service' by offshore companies. The URL below links to the article on the Privacy Foundation website.

The exploit requires the person reading a wiretapped email message to be using an HTML-enabled email reader that also has JavaScript turned on by default. Affected email readers include Outlook, Outlook Express, and Netscape 6 Mail. The exploit is made possible because JavaScript is able to read text in an email message. If a message is forwarded to someone else, the hidden JavaScript code in the page can read any text that has been added to the message when it is forwarded.

This JavaScript code executes when the forwarded message is read. The code then silently sends off this text using a Web bug, or a hidden form, to a Web server belonging to the original sender of the message. The sender can then retrieve the text and read it. All of this uses standard documented features of JavaScript.

You can avoid the email wiretap by turning off JavaScript in the email reader. However, if the individual forwards the message to someone who has JavaScript turned on, that recipient's forwarded messages can still
be wiretapped. In addition, copying the original message into a new email, rather than forwarding it, may not defeat the exploit. For the instructions on how to turn off the Active Scripting that allows this:
http://www.privacyfoundation.org/advisories/advemailwiretap.html

Click Here to See the Profile for JohnnyO   Click Here to Email JohnnyO     Edit/Delete Message    UIN: 11976789   Reply w/Quote
HappyScrappy

Pro Bodybuilder

Posts: 555
From:
Registered: Dec 2000

posted February 11, 2001 10:28 AM

Staff Use Only: IP: Logged
I recall seeing this - it isn't all that complicated even. The annoying thing is you can have JS turned off on your machine, or be using a browser that won't execute it (pine), but if you are communicating with someone else that is open, then the thread/discussion is still viewable.

the code for this is pretty basic if I recall correctly - it fakes that there is an image object, but instead onload dumps the contents of the message into that object and then you do with that what you like.
I've programmed for business apps before using all the same stuff, but it was all for legit purposes.

------------------
The Downside Of Being Better Than Everyone Else Is That People Tend To Assume You're Pretentious.

Click Here to See the Profile for HappyScrappy     Edit/Delete Message      Reply w/Quote
chesty

Guru

Posts: 4557
From:
Registered: May 1999

posted February 11, 2001 11:33 AM

Staff Use Only: IP: Logged
I just changed my settings. I always try to use pgp with sensitive messages.

------------------
At my signal unleash hell.
Strength and Honor
The frost, sometimes it makes the blade stick.
Death smiles at us all. All we can do is smile back.

Click Here to See the Profile for chesty   Click Here to Email chesty     Edit/Delete Message    UIN: 94767848   Reply w/Quote

All times are ET (US)

Post New Topic  
Hop to:

Contact Us | Back to Elite Fitness | Privacy Statement

Powered by Infopop www.infopop.com © 2000
Ultimate Bulletin Board 5.45c



HomeArticlesDiscussion BoardsFeatured SitesContact Us� ReportsSupplementsShopping