A newly-discovered email security loophole could allow for widespread snooping of other people's online messages, adding to concerns over Internet privacy.
The loophole lets an unscrupulous individual essentially "bug" an email sent to any client that can accept HTML messages with JavaScript, a simple programming language.
Such clients include recent versions of Netscape Messenger, Microsoft Outlook and Qualcomm's Eudora.
The method, uncovered by the UK Privacy Foundation, requires only a few lines of JavaScript to be inserted into an email message. If the message is received by a JavaScript-enabled client, any reply containing the original message will be forwarded back to the original sender.
That means, for example, that someone could send a message to a colleague, and if the message is forwarded to others, each forwarded message or reply would be copied and sent to the original sender, according to the Privacy Foundation.
Even if a user turns off JavaScript, the "email wiretap" code would take effect when received by another user who had not turned off the feature. The Privacy Foundation is campaigning for email clients to be sold with JavaScript turned off as the default.
The group believes spying on others' conversations could become common using this loophole.
