Web-mail vulnerability

Discussion in 'privacy problems' started by Pieter_Arntz, Nov 14, 2002.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    This is an excerpt from an article I found at: www.dsinet.org

    XSS/Cookie problems at major (webmail) sites Advisory

    XSS/Cookie problems at major (webmail) sites
    - by "N|ghtHawk" Thijs Bosschert (nighthawk_at_hackers4hackers.org)


    After finding a XSS/Cookie bug in the lycos.com mail site[0], I
    wondered if it was the only site with those problems. I found out
    that more sites got the same problem. This advisory gives three
    other sites to show the problem, and explains what the problem is.

    Vendor Information:

    Homepage : http://www.hotmail.com
    Vendor informed
    About bug : -
    Mailed advisory: 11/11/02
    Vender Response : none (yet?)
    Status : Cookie capturing still possible

    Homepage : http://www.yahoo.com
    Vendor informed
    About bug : 03/11/02
    Mailed advisory: 03/11/02
    Vender Response : none (yet?)
    Status : Cookie capturing still possible

    Homepage : http://www.excite.com
    Vendor informed
    About bug : 11/11/02
    Mailed advisory: 11/11/02
    Vender Response : 1 autoreply
    Status : Cookie capturing still possible

    Affected Versions:

    Tested on:
    - hotmail.com webmail
    - yahoo.com Webmail
    - excite.com webmail

    Not tested on:
    - Other MSN/Passport services
    - Other yahoo services
    - Other excite services


    What is Hotmail?

    - http://www.hotmail.com
    - Hotmail is the world's largest provider of free, Web-based
    e-mail. It is based on the premise that e-mail access
    should be easy and possible from any computer connected to
    the World Wide Web. Hotmail eliminates the disparities
    among e-mail programs by adhering to the universal Hypertext
    Transfer Protocol (HTTP) standard. Sending and receiving
    e-mail from Hotmail is easy: go to the Hotmail Web site at
    http://www.hotmail.com or click the Hotmail link at
    http://www.msn.com, sign in, and send an e-mail message. By
    using a Web browser as a universal e-mail program, Hotmail
    lets you stay connected anywhere in the world.

    What is Yahoo?

    - http://www.yahoo.com/

    - "Yahoo currently provides users with access to a rich
    collection of resources, including, various communications
    tools, forums, shopping services, personalized content and
    branded programming through its network of properties (the
    "Service"). "

    - http://mail.yahoo.com

    - "Yahoo! Mail is one of the Internet's most popular free
    e-mail services.
    Access your e-mail account from anywhere
    With Yahoo! Mail, you have access to your email from any
    Internet-connected computer in the world. Whether you are
    at a cafe, in a library, at work or at home, with Yahoo!
    Mail, your email address is the same and your account is
    accessible from all locations. "

    What is Excite?

    - http://www.excite.com
    - Excite is a multi-purpose service which allows you to use
    or access a wealth of products and services, including
    e-mail, search services, chat rooms and bulletin boards,
    shopping services, news, financial information and broad
    range of other content (collectively the "Excite Service").


    All of the above named sites use cookies with their mailservices.
    Also do these sites have more than one service, and for the
    different services have different hostnames/servers.

    The problem in this is that with finding a XSS bug in one of the
    many services there could be made a XSS request to get the cookie
    of the mailservice.


    The XSS bugs can be exploited by letting people click a link in an email.
    Other ways to exploit this are:
    - Giving people links through instant messengers.
    - Put javascript in any homepage, which will open the xss bug.
    Can be exploited for example in:
    - Not good filtered forums
    - Not good filtered guestbooks
    - Give people a url which will redirect them to the XSS bug.

    And people can think of other ways as well, actually it isn't
    really safe to surf on the internet with a webmail account if
    the servers aren't fully secure.

    All the links above are going to a perl script. This script
    (rompigema.pl) will get the cookie and the referrer of the 'victim',
    then it will make a request to the server to get the frontpage,
    inbox or an email from the 'victim'.


    Well, it's up to the sites to patch this. It would be a good idea
    to not put insecure scripts on a server which uses the same
    cookies as your mailsystem.
    Also I really think an idea like HttpOnly[1] would be a good start
    in getting rid of all the XSS bugs."

    As always: watch out what you click,

  2. JayK

    JayK Poster

    Dec 27, 2002
    Hmm I don't know about this vulnerability, but once, I managed to access the webemail of a visitor who visited my site from an email in his mail,following the referrer allowed me to acces his email account. I didn't even realise what was happening until where, because I have the habit of randomly checking unfamilar referrers.

    It was yahoomail. I'm guessing this is a problem for most web-based emails, espically if the user does not log out properly and it hasn't timed out..

    I've read about it before but to see it actually happen was a eyeopener to say the least.
Thread Status:
Not open for further replies.