[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-Disclosure] iName/Mail.com security holes opens door to millions of e-mail accounts
From: "Berend-Jan Wever" <skylined () edup ! tudelft ! nl>
Date: 2002-08-31 8:52:30
[Download RAW message or body]
Old news...
I allready wrote a javascript virus for mail.com, but they just didn't care ;(
SkyLined
----- Original Message -----
From: Andrew G. Tereschenko
To: Full Disclosure ; BugTraq ; Securiteam
Sent: Thursday, August 29, 2002 5:07
Subject: [Full-Disclosure] iName/Mail.com security holes opens door to millions of e-mail accounts
iName/Mail.com security holes opens door to millions of e-mail accounts
Millions of free Internet e-mail accounts provided
by iName/MAIL.COM service are vulnerable to a major security
breach that allow to change account information
including password hint/answer as result a password too.
The breach work via special email message constaining javascript
code in html file attachment.
In case if user will open this email in web mail interface
this code will redirect user browser to evil site.
This site will redirect it back to mail.com page changing account information.
Because login session cookies are still valid, account information will be changed.
Here is a list of email domains hosted by MAIL.COM service:
--------
Mail.com, Email.com, consultant.com, europe.com, mindless.com,
earthling.net, myself.com, post.com, techie.com, usa.com,
writeme.com, 2die4.com, artlover.com, bikerider.com, catlover.com,
cliffhanger.com, cutey.com, doglover.com, gardener.com,
hot-shot.com, inorbit.com, loveable.com, mad.scientist.com,
playful.com, poetic.com, popstar.com, saintly.com, seductive.com,
soon.com, whoever.com, winning.com, witty.com, yours.com,
africamail.com, arcticmail.com, asia.com, australiamail.com,
europe.com, japan.com, samerica.com, usa.com, berlin.com,
dublin.com, london.com, madrid.com, moscowmail.com, munich.com,
nycmail.com, paris.com, rome.com, sanfranmail.com, singapore.com,
tokyo.com, accountant.com, adexec.com, allergist.com, alumnidirector.com,
archaeologist.com, chemist.com, clerk.com, columnist.com, comic.com,
consultant.com, counsellor.com, deliveryman.com, diplomats.com, doctor.com,
dr.com, engineer.com, execs.com, financier.com, geologist.com, graphic-designer.com,
hairdresser.net, insurer.com, journalist.com, lawyer.com, legislator.com
lobbyist.com, minister.com, musician.org, optician.com, pediatrician.com,
presidency.com, priest.com, programmer.net, publicist.com, realtyagent.com,
registerednurses.com, repairman.com, representative.com, rescueteam.com,
scientist.com, sociologist.com, teacher.com, techie.com, umpire.com
and possibly some others because mail.com hosting some non-free email ISP's
--------
Proof:
Sample page with a exploit available here: http://tager.org/mail.com/
You can request test email to be sent into your iName/MAIL.COM account.
Opening this test email will redirect your browser twice.
As result your account information will be changed to values known to evil site.
(You can check it by clicking on "My Account").
One of information changed is a Password Hint/Answer.
(I'm changing it to some random values to prevent
exploiting this hole by lame script kiddies)
In case if evil site will store information from all successful attempts
it will be able to easy obtain user's password by "Forgot Password" service.
A bit more technical details:
There is at least two bugs on mail.com used for this:
1. /scripts/mail/mesg.mail failed to remove script code from html attachment
2. /scripts/common/profile.cgi accept information submitted by untrusted servers.
Current advice to users:
There is no way to use this site without JavaScript.
(Mail.com is trying to get as many as possible money
from javascript Advertisement pop-ups)
As result there is only one way to protect yourself:
"Do not open any email's with attachments
until Mail.com will fix this bug"
Credit:
This bug was not originally found by me.
I would like to thank one "black hat" hacker (possibly from Russia)
who was trying to take control over my email account.
Feel free to contact me for more details,
--
Andrew G. Tereschenko
TAG Software, Research Lab
Odessa, Ukraine
secure@tag.odessa.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=koi8-r">
<META content="MSHTML 6.00.2716.2200" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face="Courier New" size=1>Old news...</FONT></DIV>
<DIV><FONT face="Courier New" size=1>I allready wrote a javascript virus for
mail.com, but they just didn't care ;(</FONT></DIV>
<DIV><FONT face="Courier New" size=1></FONT> </DIV>
<DIV><FONT face="Courier New" size=1>SkyLined</FONT></DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; \
MARGIN-RIGHT: 0px"> <DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=secure.bugtraq@tag.odessa.ua
href="mailto:secure.bugtraq@tag.odessa.ua">Andrew G. Tereschenko</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A
title=full-disclosure@lists.netsys.com
href="mailto:full-disclosure@lists.netsys.com">Full Disclosure</A> ; <A
title=bugtraq@securityfocus.com
href="mailto:bugtraq@securityfocus.com">BugTraq</A> ; <A
title=list@securiteam.com href="mailto:list@securiteam.com">Securiteam</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Thursday, August 29, 2002
5:07</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [Full-Disclosure] iName/Mail.com
security holes opens door to millions of e-mail accounts</DIV>
<DIV><BR></DIV>iName/Mail.com security holes opens door to millions of e-mail
accounts <BR><BR><BR>Millions of free Internet e-mail accounts provided <BR>by
iName/MAIL.COM service are vulnerable to a major security <BR>breach that
allow to change account information <BR>including password hint/answer as
result a password too. <BR><BR><BR>The breach work via special email message
constaining javascript <BR>code in html file attachment. <BR>In case if user
will open this email in web mail interface <BR>this code will redirect user
browser to evil site. <BR>This site will redirect it back to mail.com page
changing account information. <BR>Because login session cookies are still
valid, account information will be changed. <BR><BR>Here is a list of email
domains hosted by MAIL.COM service: <BR><BR>-------- <BR>Mail.com, Email.com,
consultant.com, europe.com, mindless.com, <BR>earthling.net, myself.com,
post.com, techie.com, usa.com, <BR>writeme.com, 2die4.com, artlover.com,
bikerider.com, catlover.com, <BR>cliffhanger.com, cutey.com, doglover.com,
gardener.com, <BR>hot-shot.com, inorbit.com, loveable.com, mad.scientist.com,
<BR>playful.com, poetic.com, popstar.com, saintly.com, seductive.com,
<BR>soon.com, whoever.com, winning.com, witty.com, yours.com,
<BR>africamail.com, arcticmail.com, asia.com, australiamail.com,
<BR>europe.com, japan.com, samerica.com, usa.com, berlin.com, <BR>dublin.com,
london.com, madrid.com, moscowmail.com, munich.com, <BR>nycmail.com,
paris.com, rome.com, sanfranmail.com, singapore.com, <BR>tokyo.com,
accountant.com, adexec.com, allergist.com, alumnidirector.com,
<BR>archaeologist.com, chemist.com, clerk.com, columnist.com, comic.com,
<BR>consultant.com, counsellor.com, deliveryman.com, diplomats.com,
doctor.com, <BR>dr.com, engineer.com, execs.com, financier.com, geologist.com,
graphic-designer.com, <BR>hairdresser.net, insurer.com, journalist.com,
lawyer.com, legislator.com <BR>lobbyist.com, minister.com, musician.org,
optician.com, pediatrician.com, <BR>presidency.com, priest.com,
programmer.net, publicist.com, realtyagent.com, <BR>registerednurses.com,
repairman.com, representative.com, rescueteam.com, <BR>scientist.com,
sociologist.com, teacher.com, techie.com, umpire.com <BR><BR>and possibly some
others because mail.com hosting some non-free email ISP's <BR>--------
<BR><BR><BR>Proof: <BR><BR>Sample page with a exploit available here: <A
href="http://tager.org/mail.com/">http://tager.org/mail.com/</A><BR><BR>You
can request test email to be sent into your iName/MAIL.COM account.
<BR>Opening this test email will redirect your browser twice. <BR>As result
your account information will be changed to values known to evil site.
<BR>(You can check it by clicking on "My Account"). <BR><BR>One of information
changed is a Password Hint/Answer. <BR>(I'm changing it to some random values
to prevent <BR>exploiting this hole by lame script kiddies) <BR><BR>In case if
evil site will store information from all successful attempts <BR>it will be
able to easy obtain user's password by "Forgot Password" service.
<BR><BR><BR>A bit more technical details: <BR>There is at least two bugs on
mail.com used for this: <BR>1. /scripts/mail/mesg.mail failed to remove script
code from html attachment <BR>2. /scripts/common/profile.cgi accept
information submitted by untrusted servers. <BR><BR><BR>Current advice to
users: <BR>There is no way to use this site without JavaScript. <BR>(Mail.com
is trying to get as many as possible money <BR>from javascript Advertisement
pop-ups) <BR><BR>As result there is only one way to protect yourself: <BR>"Do
not open any email's with attachments <BR>until Mail.com will fix this bug"
<BR><BR><BR>Credit: <BR>This bug was not originally found by me. <BR>I would
like to thank one "black hat" hacker (possibly from Russia) <BR>who was trying
to take control over my email account. <BR><BR><BR>Feel free to contact me for
more details, <BR>-- <BR>Andrew G. Tereschenko <BR>TAG Software, Research Lab
<BR>Odessa, Ukraine <BR><A
href="mailto:secure@tag.odessa.ua">secure@tag.odessa.ua</A>
<BR><BR>_______________________________________________<BR>Full-Disclosure -
We believe in it.<BR>Charter: <A
href="http://lists.netsys.com/full-disclosure-charter.html">http://lists.netsys.com/full-disclosure-charter.html</A><BR></BLOCKQUOTE></BODY></HTML>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic