July 17, 2002 4:00 AM PDT

Yahoo Mail puts words in your mouth

What does Yahoo Mail have against mocha?

That's what users of the company's free e-mail service may be wondering if they try to send a message using the word "mocha" and discover that while in transit, "mocha" mysteriously changes to "espresso."

To protect users from malicious code, Yahoo uses an automated filter to swap out a handful of words such as "mocha" that pertain to Web code known as JavaScript.

The reason is that e-mail sent in a form known as "Web enhanced" can contain JavaScript instructions that can run programs on the recipient's PC. JavaScript is a Web language that can issue commands such as telling the browser to open up other windows or to prompt a service to change a password, for example.

"Mocha" is one of those special commands that can be run from Web-enhanced e-mail--typing "mocha:" into the location bar of the Netscape browser will open up a screen with a display area and a text box underneath, in which commands can be entered.

A malicious hacker could, for example, use the command line to run a program to change a person's password without their knowledge.

To prevent such attacks on its customers, Yahoo searches and automatically replaces key terms--a step that is not disclosed to users and that goes beyond what other companies are doing.

While acknowledging that it searches and replaces certain words, a Yahoo representative would not say when it started the practice.

For example, Yahoo's filter changes the term "eval"--a JavaScript command used to evaluate a string of code--to "review." So an HTML message sent to a business acquaintance with the word "evaluate" would change to the curiously formed "reviewuate."

"Medieval" also is tweaked to become "Medireview." Although the new word is not found in Merriam-Webster's dictionary, it results in 1,150 related matches when typed into the Google search engine--an indication of how many e-mails Yahoo has tweaked.

Yahoo's intentions are not to confuse subscribers or play e-mail Big Brother, but to protect against potential security risks, the company says.

"To ensure the highest level of security for our users, Yahoo employs automated software to protect our users from potential cross-scripting violations," said Yahoo spokeswoman Mary Osako.

Security experts said it is common for Web-based e-mail services such as Yahoo and Hotmail to filter JavaScript from HTML e-mail, given that malicious hackers can use the code to hack into a person's computer or change passwords. But, they say, Yahoo's methods are odd.

Outer limits of filtering?
"This is kind of in the twilight zone," said Richard Smith, a security and privacy expert who runs a Web site called ComputerBytesMan.com.

"You don't need to change text of e-mail; you just need to change the script tags. That's what everybody else does," Smith said.

MSN's Hotmail, for example, filters out JavaScript commands, or tags, in HTML e-mail without changing words, according to an MSN representative.

Many other Web-based services, such as bulletin boards and chat rooms, filter out JavaScript commands too.

"If you don't filter JavaScript, then you can have malicious JavaScript-coded messages that start messing with somebody's e-mail account," Smith noted.

The software that Yahoo uses automatically scans Web-enhanced e-mail and replaces terms that can be confused with Web code. For security reasons, Yahoo's Osako would not disclose which terms are replaced. But an independent test by CNET News.com showed that the terms "eval" and "mocha" and "expression" were replaced with "review," "espresso" and "statement," respectively.

British newsletter site NTK, which first reported the use of the filter, lists other terms that are replaced through Yahoo Mail, including "JavaScript" to "java-script" and "livescript" to "live-script."

"Yahoo is always reviewing and updating our filtering and security systems as part of our ongoing efforts to continually enhance our service," Osaka said.

But as far as Yahoo's filters go, "it just looks like buggy software," Smith said.

See more CNET content tagged:
Richard Smith, JavaScript, Yahoo! Inc., Yahoo! Mail, filter

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.