The Privacy Foundation recently issued an advisory regarding an exploit against mail clients that might lead to a serious breach of privacy by exposing email content to third parties. According to a report that the foundation's Web site published, Carl Voth discovered the risk in a few lines of JavaScript code embedded in an email message. The code can cause any comments sent in response to an email message to be forwarded to a foreign Web site for later review.

The problem affects only email clients that support JavaScript, such as Outlook, Outlook Express, and Netscape 6 Mail. Users must have JavaScript enabled for the mail client to be vulnerable. However, the foundation's report warns that even with JavaScript disabled, users can forward the bugged message to other readers who have JavaScript enabled, at which point someone can monitor the conversation.

According to analysis in the foundation's advisory, a malicious user needs only three lines of code to perform this type of exploit. The user submits a hidden form containing the email content. Using a slight variation of the theme, three lines of exploit code can submit the email content back to a Web site by using a standard GET command and associated parameters—a technique commonly referred to as a Web bug.

The Privacy Foundation recommends that users disable JavaScript in their mail clients. See the foundation's advisory for detailed instructions for various mail clients.