July 17, 2002 4:00 AM PDT
Yahoo Mail puts words in your mouth
That's what users of the company's free e-mail service may be wondering if they try to send a message using the word "mocha" and discover that while in transit, "mocha" mysteriously changes to "espresso."
"Mocha" is one of those special commands that can be run from Web-enhanced e-mail--typing "mocha:" into the location bar of the Netscape browser will open up a screen with a display area and a text box underneath, in which commands can be entered.
A malicious hacker could, for example, use the command line to run a program to change a person's password without their knowledge.
To prevent such attacks on its customers, Yahoo searches and automatically replaces key terms--a step that is not disclosed to users and that goes beyond what other companies are doing.
While acknowledging that it searches and replaces certain words, a Yahoo representative would not say when it started the practice.
"Medieval" also is tweaked to become "Medireview." Although the new word is not found in Merriam-Webster's dictionary, it results in 1,150 related matches when typed into the Google search engine--an indication of how many e-mails Yahoo has tweaked.
Yahoo's intentions are not to confuse subscribers or play e-mail Big Brother, but to protect against potential security risks, the company says.
"To ensure the highest level of security for our users, Yahoo employs automated software to protect our users from potential cross-scripting violations," said Yahoo spokeswoman Mary Osako.
Outer limits of filtering?
"This is kind of in the twilight zone," said Richard Smith, a security and privacy expert who runs a Web site called ComputerBytesMan.com.
"You don't need to change text of e-mail; you just need to change the script tags. That's what everybody else does," Smith said.
The software that Yahoo uses automatically scans Web-enhanced e-mail and replaces terms that can be confused with Web code. For security reasons, Yahoo's Osako would not disclose which terms are replaced. But an independent test by CNET News.com showed that the terms "eval" and "mocha" and "expression" were replaced with "review," "espresso" and "statement," respectively.
"Yahoo is always reviewing and updating our filtering and security systems as part of our ongoing efforts to continually enhance our service," Osaka said.
But as far as Yahoo's filters go, "it just looks like buggy software," Smith said.