JavaScript Security Hole in HTML Mail

JavaScript code imbedded in HTML mail can allow unauthorized users to view the contents of messages you receive and forward. Details are published on the Wired website in the following articles:


A single person using an email client that supports HTML mail can mean your email is being read by unauthorized parties.

The Business Section (Section C) of the January 29 or February 5, 2001'th's New York Times entitled "A new Trick Gives Snoops Easy Access To E-Mail". It describes how a small JavaScript applet embedded in HTML email can send a copy of every reply or forward to an email address specified by the originator. Even if a participant has JavaScript disabled, as I do, a subsequent recipient who clicks "Reply" or "Forward" can continue the chain. A similar article was published in the Denver Post.

Aspects of the vulnerability

There are two aspects to the vulnerability:
  1. Will your system execute the code and send the message to the wire tap?
  2. Does your system propogate the problem by forwarding the JavaScript code you reply to or forward the email?

EMail Clients Affected

Outlook, Outlook Express and Netscape 6 all have this security hole. To protect yourself from this security hole you must turn off JavaScript within EMail. However, that's not the end of the story, if your email client doesn't strip out the offending JavaScript when you forward or reply to a message then your comments could be "wire tapped".

There are demonstration pages available to see if you are potentially affected by this vulnerablity. I am not aware if they test for the propogation of the virus or just whether your client is vulnerable.

Protecting Yourself

Instructions for turning off JavaScript in EMail from the Privacy Foundation for users of: My tests indicate that the Poco is both immune from and does not propogate the JavaScript code. This has been confirmed by Slaven of whom I asked:
"Will Poco pass along the wiretapping script without executing it?"
Slaven's response was:
"Definitely not, unless the message as a whole is somehow saved, then sent as an attachment."