Web-mail vulnerability

Discussion in 'privacy problems' started by Pieter_Arntz, Nov 14, 2002.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    This is an excerpt from an article I found at: www.dsinet.org

    "
    -------------------------------------------------------
    XSS/Cookie problems at major (webmail) sites Advisory
    -------------------------------------------------------

    XSS/Cookie problems at major (webmail) sites
    13/11/02
    - by "N|ghtHawk" Thijs Bosschert (nighthawk_at_hackers4hackers.org)

    ----------------------
    Introduction:
    ----------------------

    After finding a XSS/Cookie bug in the lycos.com mail site[0], I
    wondered if it was the only site with those problems. I found out
    that more sites got the same problem. This advisory gives three
    other sites to show the problem, and explains what the problem is.


    ----------------------
    Vendor Information:
    ----------------------

    Homepage : http://www.hotmail.com
    Vendor informed
    About bug : -
    Mailed advisory: 11/11/02
    Vender Response : none (yet?)
    Status : Cookie capturing still possible


    Homepage : http://www.yahoo.com
    Vendor informed
    About bug : 03/11/02
    Mailed advisory: 03/11/02
    Vender Response : none (yet?)
    Status : Cookie capturing still possible


    Homepage : http://www.excite.com
    Vendor informed
    About bug : 11/11/02
    Mailed advisory: 11/11/02
    Vender Response : 1 autoreply
    Status : Cookie capturing still possible


    ----------------------
    Affected Versions:
    ----------------------

    Tested on:
    - hotmail.com webmail
    - yahoo.com Webmail
    - excite.com webmail

    Not tested on:
    - Other MSN/Passport services
    - Other yahoo services
    - Other excite services


    ----------------------
    Description:
    ----------------------


    What is Hotmail?
    -------------

    - http://www.hotmail.com
    - Hotmail is the world's largest provider of free, Web-based
    e-mail. It is based on the premise that e-mail access
    should be easy and possible from any computer connected to
    the World Wide Web. Hotmail eliminates the disparities
    among e-mail programs by adhering to the universal Hypertext
    Transfer Protocol (HTTP) standard. Sending and receiving
    e-mail from Hotmail is easy: go to the Hotmail Web site at
    http://www.hotmail.com or click the Hotmail link at
    http://www.msn.com, sign in, and send an e-mail message. By
    using a Web browser as a universal e-mail program, Hotmail
    lets you stay connected anywhere in the world.


    What is Yahoo?
    -------------

    - http://www.yahoo.com/

    - "Yahoo currently provides users with access to a rich
    collection of resources, including, various communications
    tools, forums, shopping services, personalized content and
    branded programming through its network of properties (the
    "Service"). "


    - http://mail.yahoo.com

    - "Yahoo! Mail is one of the Internet's most popular free
    e-mail services.
    Access your e-mail account from anywhere
    With Yahoo! Mail, you have access to your email from any
    Internet-connected computer in the world. Whether you are
    at a cafe, in a library, at work or at home, with Yahoo!
    Mail, your email address is the same and your account is
    accessible from all locations. "


    What is Excite?
    -------------

    - http://www.excite.com
    - Excite is a multi-purpose service which allows you to use
    or access a wealth of products and services, including
    e-mail, search services, chat rooms and bulletin boards,
    shopping services, news, financial information and broad
    range of other content (collectively the "Excite Service").


    ----------------------
    Vulnerability:
    ----------------------

    All of the above named sites use cookies with their mailservices.
    Also do these sites have more than one service, and for the
    different services have different hostnames/servers.

    The problem in this is that with finding a XSS bug in one of the
    many services there could be made a XSS request to get the cookie
    of the mailservice.

    ----------------------
    Exploit:
    ----------------------

    The XSS bugs can be exploited by letting people click a link in an email.
    Other ways to exploit this are:
    - Giving people links through instant messengers.
    - Put javascript in any homepage, which will open the xss bug.
    Can be exploited for example in:
    - Not good filtered forums
    - Not good filtered guestbooks
    - Give people a url which will redirect them to the XSS bug.

    And people can think of other ways as well, actually it isn't
    really safe to surf on the internet with a webmail account if
    the servers aren't fully secure.

    All the links above are going to a perl script. This script
    (rompigema.pl) will get the cookie and the referrer of the 'victim',
    then it will make a request to the server to get the frontpage,
    inbox or an email from the 'victim'.

    ----------------------
    Patch:
    ----------------------

    Well, it's up to the sites to patch this. It would be a good idea
    to not put insecure scripts on a server which uses the same
    cookies as your mailsystem.
    Also I really think an idea like HttpOnly[1] would be a good start
    in getting rid of all the XSS bugs."


    As always: watch out what you click,

    Pieter
     
  2. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Hmm I don't know about this vulnerability, but once, I managed to access the webemail of a visitor who visited my site from an email in his mail,following the referrer allowed me to acces his email account. I didn't even realise what was happening until where, because I have the habit of randomly checking unfamilar referrers.


    It was yahoomail. I'm guessing this is a problem for most web-based emails, espically if the user does not log out properly and it hasn't timed out..

    I've read about it before but to see it actually happen was a eyeopener to say the least.
     
Loading...
Thread Status:
Not open for further replies.