[SECURITY] The 1MB Vcard, Not!

J. Francois jlf@magusnet.gilbert.az.us
Wed, 8 Mar 2000 21:50:35 -0700


I want to head this off before it gets out of hand.

While working with Netscape at Motorola SPS, I talked to some
engineers about fixes that needed to be made to Netscape
when readimg mail.

One of them was the fact that Netscape will interpret URLs embedded
in email and in the VCARD.
It is an undocumented feature but has some significant security hazards
if the right bugs are available in Netscape.

I explained to them that by having a CGI on a WWW site I could 
do data gathering on anyone that received mail from me.
I explained that I could also put any URL in the VCARD and get 
people fired for browsing pr0n sites during working hours and 
they would never know what happened.

Netscape responded that it wasn't a bug but a feature.

So, from time to time I put images in my VCARD that play from my WWW
site at MagusNet, Inc.
This one is the Star Trek Enterprise leaving orbit and going
into warp.
Because you can't stop Netscape from loading the image, everyone 
that reads it leaves a spot in my logs ( which I included below).

So, please do not think I sent a 1MEG email. I know better.
All I am guilty of is not fixing the "To:" so it would go back to
the right person instead of the list. I was in a hurry.

If you want to know more, see me on Thursday at the meeting.

JLF Sends...

Here is a log snapshot:

-- - 04-164.010.popsite.net [08/Mar/2000:17:14:44 --700] "GET http://heirophant.inhouse/pics/startrek.gif HTTP/1.0" 200 131072 "" "Mozilla/4.7 [en] (X11; I; Linux 2.2.14 i686)"
-- - adslppp200.phnx.uswest.net [08/Mar/2000:17:21:16 --700] "GET http://heirophant.inhouse/pics/startrek.gif HTTP/1.0" 200 1094777 "" "Mozilla/4.72 [en] (X11; U; Linux 2.2.15pre10 i686)"
-- - ip12.eai-healthcare.com [08/Mar/2000:17:46:23 --700] "GET http://heirophant.inhouse/pics/startrek.gif HTTP/1.0" 200 1094777 "" "Mozilla/4.7 [en] (Win95; I)"
-- - ip-2-106.swlink.net [08/Mar/2000:17:47:02 --700] "GET http://heirophant.inhouse/pics/startrek.gif HTTP/1.0" 200 98304 "" "Mozilla/4.72 [en] (Win98; U)"
-- - dslpppc97.phnx.uswest.net [08/Mar/2000:17:52:19 --700] "GET http://heirophant.inhouse/pics/startrek.gif HTTP/1.0" 200 393216 "" "Mozilla/4.7 [en] (WinNT; U)"
-- - dslpppc97.phnx.uswest.net [08/Mar/2000:17:54:16 --700] "GET http://heirophant.inhouse/pics/startrek.gif HTTP/1.0" 200 1094777 "" "Mozilla/4.7 [en] (WinNT; U)"
-- - cx293138-a.mesa1.az.home.com [08/Mar/2000:18:07:17 --700] "GET http://heirophant.inhouse/pics/startrek.gif HTTP/1.0" 200 163840 "" "Mozilla/4.72 [en] (X11; I; Linux 2.2.12-20 i586)"
-- - 162.phx-ts02.impulsedata.net [08/Mar/2000:18:07:54 --700] "GET http://heirophant.inhouse/pics/startrek.gif HTTP/1.0" 200 360448 "" "Mozilla/4.61 [en] (X11; I; Linux 2.2.10 i686)"
-- - dslstat39.fastq.com [08/Mar/2000:18:26:15 --700] "GET http://heirophant.inhouse/pics/startrek.gif HTTP/1.0" 200 98304 "" "Mozilla/4.72 [en] (Win98; U)"
-- - cx629828-a.chnd1.az.home.com [08/Mar/2000:18:29:25 --700] "GET http://heirophant.inhouse/pics/startrek.gif HTTP/1.0" 200 1094777 "" "Mozilla/4.7 [en] (X11; I; Linux 2.2.13 i586)"
-- - ts6-06.phx.cyberhighway.net [08/Mar/2000:19:09:34 --700] "GET http://heirophant.inhouse/pics/startrek.gif HTTP/1.0" 200 98304 "" "Mozilla/4.7 [en] (X11; U; Linux 2.0.36 i686)"
-- - ts6-06.phx.cyberhighway.net [08/Mar/2000:19:19:19 --700] "GET http://heirophant.inhouse/pics/startrek.gif HTTP/1.0" 200 1094777 "" "Mozilla/4.7 [en] (X11; U; Linux 2.0.36 i686)"