This story was written by Keith Dawson for the Industry Standard's Media Grok email newsletter. It is archived here for informational purposes only because The Standard's site is no more. This material is Copyright 1999-2001 by Standard Media.

Wiretapping Your E-Mail

Feb 06 2001 12:00 AM PST

An old bug enables you to read what other people are adding to your messages.

On Monday the Privacy Foundation publicized a two-and-a-half-year-old method for "wiretapping" e-mail conversations using HTML and JavaScript. This privacy vulnerability has a couple of unusual features. You can't protect yourself completely from it, because its operations depend on the behavior of everyone who ever receives a forwarded copy of a wiretapped e-mail message. And exploiting it is illegal under state and federal laws.

According to the Privacy Foundation, e-mail programs from Microsoft (MSFT) (Outlook and Outlook Express) and AOL (dossier) TW-Netscape (Communicator 6.0) are vulnerable to the wiretapping technique. The New York Times and a few others covered the development Monday morning; other outlets picked up the story later in the day. Most reporters contented themselves with recounting the facts of the case and getting comments from security experts.

Wired ran the story yesterday and followed up today with a profile of the bug's original discoverer, Carl Voth. Julia Scheeres's interview brings out a historical wrinkle - in 1998 Voth had sent details of the bug to Richard Smith, then an amateur bug-hunter but now chief technologist at the Privacy Foundation. Smith suggested that Voth contact Microsoft and didn't investigate further. More than two years later, Voth wrote to Smith again and showed how his wiretapping discovery could make use of "Web bugs," another vulnerability that Smith had uncovered and publicized. This time Voth got Smith's attention.

The Slashdot community chewed over the vulnerability yesterday. Most of their suggestions won't be of much help to non-techies, though some were amusing. One poster suggested you exploit one of Microsoft Outlook's many vulnerabilities to break into your boss's computer and change his Windows startup tune to the Soviet national anthem.

A Trick to Snoop on E-Mail
New York Times
(Registration required.)

E-Mail Loophole Enables Snooping (AP)

Privacy Group Warns Of HTML Mail's 'Wiretap' Weakness
Washington Post

Wait! Don't Forward That E-Mail
Wired News

Friends Don't E-Mail Friends HTML
Wired News

HTML E-Mail Clients Susceptible to 'Wire-Tapping'

New E-Mail Vulnerability: Trust Your Neighbor?

E-Mail Wiretapping
Privacy Foundation

Reaper Exploit