Email wiretapping may sound like a plot from a spy movie, but it's a real and present danger in the digital age. This form of cyber espionage involves the unauthorized monitoring of email communications, often without the knowledge of the parties involved. It's a frightening prospect, but understanding how it works and how to protect yourself can go a long way in ensuring your digital security.
A few years back, the US-based Privacy Foundation discovered a significant security flaw in popular email clients developed by Microsoft and Netscape. This vulnerability allows the sender of an email to view the content of the message when it's forwarded with comments to other recipients, a process that has been dubbed "email wiretapping". This can lead to the covert surveillance of written messages and forwarded emails, with potential implications including:
The culprit behind this is JavaScript, which can easily hide in any HTML email. Email clients with JavaScript functionality, such as Outlook, Outlook Express, and Netscape 6 Mail, are particularly vulnerable. Earlier versions of Netscape mail readers are not affected as they do not fully support all the intricacies of JavaScript. Similarly, Eudora and the AOL 6.0 series of email readers are not affected as JavaScript is turned off by default, although they become vulnerable if JavaScript is enabled. Web-based email systems like Hotmail automatically strip out JavaScript programs from incoming emails, making them immune to this threat.
The security loophole is possible because JavaScript can read text in an email message. If a message is forwarded, the hidden JavaScript code can read any text added to the message during forwarding. This code executes when the forwarded message is read, silently sending off this text using a hidden form to a web server belonging to the original sender of the message. The original sender can then retrieve the text at their leisure and read it.
Detecting a "wiretapped" email message is challenging. An individual can avoid the email wiretap by disabling JavaScript in their email reader. However, if the individual forwards the message to someone who has JavaScript enabled, that recipient's forwarded messages can still be wiretapped. Additionally, copying the original message into a new email, rather than forwarding it, may not solve the problem.
Partially mitigating the email wiretapping issue is possible by disabling JavaScript in HTML email messages. If you're unsure how to do this, you can visit the homepage for your respective browser package for guidance.
However, turning off JavaScript is only a partial solution. A "wiretapped" message will still work if it's replied to or forwarded to someone whose email program is susceptible to the malicious JavaScript. The best policy is a group or corporate agreement on how to handle this, especially where commercially sensitive material is involved.
