Web sites getting email address from browsing

Thomas Dowling tdowling at ohiolink.edu
Wed Jan 7 13:41:52 EST 1998 

-----Original Message-----
From: Luc Grondin <grondin.luc at uqam.ca>
To: Multiple recipients of list <web4lib at library.berkeley.edu>
Date: Wednesday, January 07, 1998 1:20 PM
Subject: Web sites getting email address from browsing


>Hello everybody,
>
>I recently received two disturbing email messages.  The first one invited
>me to visit a XXX Web site and the second informed me that I was granted
>free usage of Verisign (not sure about the spelling) for a while (it is an
>authentication system, or something like that).  I first thought they had
>obtained my email address from directories, until I remembered ending up in
>such Web site a few days back (I was doing some test searching with Hotbot
>to find different examples of video file formats and clicked "randomly"
>from the results  ;->  ah well...).  I remember vaguely this Verisign
>business and something about getting the free service for a trial period.
>I didn't go further on this site and I am absolutely certain to never have
>filled any form or clicking any button.
>
>It seems clear, then, that they were able to get my email address from my
>browser (Navigator).  Is it possible that some scripts (Javascripts for
>instance) would be able to read the identity variables from the user's
>browser?  I know that there are HTTP variables that give informations about
>the Web client.  Do they go to that extent?

There was a badly broken version of Netscape (I'm tempted to say 3.0) that
could be tricked into sending your e-mail address without your knowledge.
When this was discovered, Netscape hurriedly fixed it in a .01 release.  As
I recall, this is one of the few security pitfalls Microsoft has avoided.

It's pretty simple to write a CGI script that shows you what environment
variables your browser sends.  See
http://www.ohiolink.edu/cgi-bin/printenv.pl for an example.

BTW, Verisign itself is a legitimate business, one of the leading vendors of
authentication certificates.

>
>I find it offensive the idea that particular Web sites would get my name
>and email address without my knowledge.  That feels more intrusive than
>leaving a cookie or getting the IP address of my machine.  Is there anyone
>who would have information on that issue?
>


It's conceivable that the company in question is buying a mailing list from
some other site where you did enter your e-mail address, or culling
addresses from mailing lists you subscribe to or newsgroups where you post
(lessee, would XXX companies consider Web4Lib's subscribers likely
customers?...).  It's also possible that they're piecing together your
address from your REMOTE_HOST environment variable and finger.  There have
also been browsers that sent along a REMOTE_USER variable consisting of your
address, but this is no longer common (for obvious reasons).

The list of Web4Lib subscribers' addresses, of course, is available to
anyone by sending the message "review web4lib" to
listserv at library.berkeley.edu.

Check http://www.anonymizer.com/snoop.cgi for a possibly startling
demonstration of what a web server can figure out about you.


Thomas Dowling
OhioLINK - Ohio Library and Information Network
tdowling at ohiolink.edu

More information about the Web4lib mailing list