If you had a Java enabled browser, you would have just Emailed a message from your machine to an arbitrary third person on an arbitrary third machine.

The Hostile Mail Applet Page

This page dates back to 1998. While this applet will work in some situations, it is no longer as common

By loading this page with a Java enabled browser you just Emailed a message from your machine to a third person on a third machine not involved in this transaction. In other words you sent mail, with text of my choosing, to a person that was not on either the client or the server machine.

Since I entended this to be an example only, it was not a hostile message and the message just went to me on another machine. Had this been a hostile applet, the message could have been anything, and the message could have been directed to [ insert the name of your favorite political leader, religious leader, or other name here ] . Alternatively the message could have been sent to a Usenet news group. There are lots of possibilities.

Look at the Java console for a listing of the transaction. Note again that if this were a real "hostile applet", I would not have echoed the transaction back to the console. The applet could have just been part of a simple animation with no indication that mail had been sent.

I'll put the ( tiny ) source here when I clean it up. Note that this does not violate any Netscape or Java security policies. It works within the existing SMTP and Java bounds and is just an example of what can be done. This example doesn't expose anything that couldn't have been forged before Java, but it does make the point that your computer can now be an active participant in these types of hacks.

Note also that the mail comes only from your machine and not your username. I just stuck in "root" as the username. I could have attempted to parse the output of the "finger" command mentioned below to get a username, but I didn't spend the time.

I'm trying a new information gathering strategy ( finger ) . Most of the time it doesn't work because the client side is not running a finger daemon :-( , but 20% of the time or so they are :-) . I'll update the source when I have the code finalized.

My Other Java Stuff