Yahoo! uses an automated filter, which searches and replaces key terms within emails, to protect users from malicious JavaScript instructions, but it can have unintended consequences for users trying to read their email

What does Yahoo! Mail have against mocha?

That's what users of the company's free email service may be wondering if they try to send a message using the word "mocha" and discover that while in transit, "mocha" mysteriously changes to "espresso."

To protect users from malicious code, Yahoo! uses an automated filter to swap out a handful of words such as "mocha" that pertain to Web code known as JavaScript.

The reason is that email sent in a form known as "Web enhanced" can contain JavaScript instructions that can run programs on the recipient's PC. JavaScript is a Web language that can issue commands such as telling the browser to open up other windows or to prompt a service to change a password, for example.

"Mocha" is one of those special commands that can be run from Web-enhanced email -- typing "mocha:" into the location bar of the Netscape browser will open up a screen with a display area and a text box underneath, in which commands can be entered.

A malicious hacker could, for example, use the command line to run a program to change a person's password without their knowledge.

To prevent such attacks on its customers, Yahoo! searches and automatically replaces key terms -- a step that is not disclosed to users and that goes beyond what other companies are doing.

While acknowledging that it searches and replaces certain words, a Yahoo! representative would not say when it started the practice.

For example, Yahoo!'s filter changes the term "eval" -- a JavaScript command used to evaluate a string of code -- to "review." So an HTML message sent to a business acquaintance with the word "evaluate" would change to the curiously formed "reviewuate."

"Medieval" also is tweaked to become "Medireview." Although the new word is not found in Merriam-Webster's dictionary, it results in 1,150 related matches when typed into the Google search engine -- an indication of how many emails Yahoo! has tweaked.

Yahoo!'s intentions are not to confuse subscribers or play email Big Brother, but to protect against potential security risks, the company says.

"To ensure the highest level of security for our users, Yahoo! employs automated software to protect our users from potential cross-scripting violations," said Yahoo! spokeswoman Mary Osako.

Security experts said it is common for Web-based email services such as Yahoo! and Hotmail to filter JavaScript from HTML email, given that malicious hackers can use the code to hack into a person's computer or change passwords. But, they say, Yahoo!'s methods are odd.

Outer limits of filtering?
"This is kind of in the twilight zone," said Richard Smith, a security and privacy expert who runs a Web site called ComputerBytesMan.com.

"You don't need to change text of email; you just need to change the script tags. That's what everybody else does," Smith said.

MSN's Hotmail, for example, filters out JavaScript commands, or tags, in HTML email without changing words, according to an MSN representative.

Many other Web-based services, such as bulletin boards and chat rooms, filter out JavaScript commands too.

"If you don't filter JavaScript, then you can have malicious JavaScript-coded messages that start messing with somebody's email account," Smith noted.

The software that Yahoo! uses automatically scans Web-enhanced email and replaces terms that can be confused with Web code. For security reasons, Yahoo!'s Osako would not disclose which terms are replaced. But an independent test by CNET News.com showed that the terms "eval" and "mocha" and "expression" were replaced with "review," "espresso" and "statement," respectively.

British newsletter site NTK, which first reported the use of the filter, lists other terms that are replaced through Yahoo! Mail, including "JavaScript" to "java-script" and "livescript" to "live-script."

"Yahoo! is always reviewing and updating our filtering and security systems as part of our ongoing efforts to continually enhance our service," Osaka said.

But as far as Yahoo!'s filters go, "it just looks like buggy software," Smith said.

Copyright © 1995-2009 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.