From: Blake Coverett <blake@bcdev.com>
Date: Tue, 30 Apr 1996 13:40:15 +0800
To: "'jsw@netscape.com>
Subject: RE: www.WhosWhere.com selling access to my employer's passwd file
Message-ID: <01BB35ED.7BA25CA0@bcdev.com>
MIME-Version: 1.0
Content-Type: text/plain


>   We go to great pains to keep from revealing your e-mail address to
> a web site.  Several of the fixes in 2.01 were for these sorts of problems.
> Given a current version of Netscape Navigator, how would a spam-king
> steal your e-mail address from his web page?

I just noticed an attack vector that I wasn't aware of previously.  If the browser
is running with CLASSPATH set to include the JDK classes.zip applets are
suddenly able to enumerate all the system properties.
On my system user.name is set to '?', but user.dir and user.home are both
available.

This isn't a huge exposure, but it is unsettling.

-Blake (off to poke around further)