New loophole makes email spying easy

A new method uses JavaScript to 'tap' email conversations

A newly-discovered email loophole could allow for widespread snooping of other people's online messages, adding to concerns over Internet privacy.

The loophole lets an unscrupulous individual essentially "bug" an email sent to any email client that can accept HTML messages with JavaScript, a simple programming language. Such clients include recent versions of Netscape Messenger, Microsoft Outlook and Qualcomm's Eudora.

The method, uncovered by US group the Privacy Foundation, requires only a few lines of JavaScript to be inserted into an email message. If the message is received by a JavaScript-enabled client, any reply containing the original message will be forwarded back to the original sender.

That means, for example, that someone could send a message to a colleague, and if the message is forwarded to others, each forwarded message or reply would be copied and sent to the original sender, according to the Privacy Foundation.

Even if a user turns off JavaScript, the "email wiretap" code would take effect when received by another user who had not turned off the feature. The Privacy Foundation is campaigning for email clients to be sold with JavaScript turned off as the default.

The group believes spying on others' conversations could become common using this loophole. "Most of us won't release a computer virus, but this is something people would use, particularly if a service started offering it," chief technology officer Richard M Smith told the New York Times. "It's just kind of human nature."

The Privacy Foundation plans to publicise its discovery Monday.

They can see you... Find out how and why in Surveillance, a ZDNet News Special.

Is your PC safe? Find out at the Hackers News Special

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.