New E-Mail Vulnerability - Trust Your Neighbor?
Misc.
2/5/2001; 11:12:34 AM

From Slashdot:

''According to this article in The New York Times (free registration required), a trick enables someone to essentially bug an e-mail message so that the spy would be privy to any comments that a recipient might add as the message is forwarded to others or sent back and forth. The vulnerability could facilitate the harvesting of e-mail addresses. Widely used e-mail programs that are vulnerable to the exploit (because they enable JavaScript) include Microsoft Outlook, Outlook Express and Netscape 6.'' A snippet from the article: "The potential for such e-mail spying was first discovered by Carl Voth, an engineer in British Columbia. 'What bothers me is that in this case, my vulnerability is a function of what you do,' Mr. Voth said. 'I can be careful, I can take every precaution, I can turn off JavaScript, and it doesn't matter. If my neighbor isn't diligent and I send him an e-mail, I'm still vulnerable.'" ''The Privacy Foundation, an educational and research organization based in Denver, plans to publicize and demonstrate the technique today.''

This is one of the most subtle security flaws a system can have, and one of the most difficult to fix. This is why extending browsers should be done carefully and not willy-nilly... add the wrong plug-in, break security for one person, and security is ruined for everybody.  If your banker ends up leaking the password to the bank systems to the wrong person because of a vulnerability like this, your bank account might be drained.