[Full-Disclosure] iName/Mail.com security holes opens door to millions of e-mail accounts
From: Berend-Jan Wever (full-disclosure@lists.netsys.com)
Date: 08/31/02
- Next message: full-disclosure@lists.netsys.com: "[Full-Disclosure] Fwd: add www.cert.org to that list"
- Previous message: full-disclosure@lists.netsys.com: "[Full-Disclosure] www.securityfocus.com / www.iss.net DOWN?"
- In reply to: Andrew G. Tereschenko: "[Full-Disclosure] iName/Mail.com security holes opens door to millions of e-mail accounts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: full-disclosure@lists.netsys.com (Berend-Jan Wever) Date: Sat, 31 Aug 2002 10:52:30 +0200
This is a multi-part message in MIME format.
------=_NextPart_000_008E_01C250DC.8113C960
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
Old news...
I allready wrote a javascript virus for mail.com, but they just didn't =
care ;(
SkyLined
----- Original Message -----=20
From: Andrew G. Tereschenko=20
To: Full Disclosure ; BugTraq ; Securiteam=20
Sent: Thursday, August 29, 2002 5:07
Subject: [Full-Disclosure] iName/Mail.com security holes opens door to =
millions of e-mail accounts
iName/Mail.com security holes opens door to millions of e-mail =
accounts=20
Millions of free Internet e-mail accounts provided=20
by iName/MAIL.COM service are vulnerable to a major security=20
breach that allow to change account information=20
including password hint/answer as result a password too.=20
The breach work via special email message constaining javascript=20
code in html file attachment.=20
In case if user will open this email in web mail interface=20
this code will redirect user browser to evil site.=20
This site will redirect it back to mail.com page changing account =
information.=20
Because login session cookies are still valid, account information =
will be changed.=20
Here is a list of email domains hosted by MAIL.COM service:=20
--------=20
Mail.com, Email.com, consultant.com, europe.com, mindless.com,=20
earthling.net, myself.com, post.com, techie.com, usa.com,=20
writeme.com, 2die4.com, artlover.com, bikerider.com, catlover.com,=20
cliffhanger.com, cutey.com, doglover.com, gardener.com,=20
hot-shot.com, inorbit.com, loveable.com, mad.scientist.com,=20
playful.com, poetic.com, popstar.com, saintly.com, seductive.com,=20
soon.com, whoever.com, winning.com, witty.com, yours.com,=20
africamail.com, arcticmail.com, asia.com, australiamail.com,=20
europe.com, japan.com, samerica.com, usa.com, berlin.com,=20
dublin.com, london.com, madrid.com, moscowmail.com, munich.com,=20
nycmail.com, paris.com, rome.com, sanfranmail.com, singapore.com,=20
tokyo.com, accountant.com, adexec.com, allergist.com, =
alumnidirector.com,=20
archaeologist.com, chemist.com, clerk.com, columnist.com, comic.com,=20
consultant.com, counsellor.com, deliveryman.com, diplomats.com, =
doctor.com,=20
dr.com, engineer.com, execs.com, financier.com, geologist.com, =
graphic-designer.com,=20
hairdresser.net, insurer.com, journalist.com, lawyer.com, =
legislator.com=20
lobbyist.com, minister.com, musician.org, optician.com, =
pediatrician.com,=20
presidency.com, priest.com, programmer.net, publicist.com, =
realtyagent.com,=20
registerednurses.com, repairman.com, representative.com, =
rescueteam.com,=20
scientist.com, sociologist.com, teacher.com, techie.com, umpire.com=20
and possibly some others because mail.com hosting some non-free email =
ISP's=20
--------=20
Proof:=20
Sample page with a exploit available here: http://tager.org/mail.com/
You can request test email to be sent into your iName/MAIL.COM =
account.=20
Opening this test email will redirect your browser twice.=20
As result your account information will be changed to values known to =
evil site.=20
(You can check it by clicking on "My Account").=20
One of information changed is a Password Hint/Answer.=20
(I'm changing it to some random values to prevent=20
exploiting this hole by lame script kiddies)=20
In case if evil site will store information from all successful =
attempts=20
it will be able to easy obtain user's password by "Forgot Password" =
service.=20
A bit more technical details:=20
There is at least two bugs on mail.com used for this:=20
1. /scripts/mail/mesg.mail failed to remove script code from html =
attachment=20
2. /scripts/common/profile.cgi accept information submitted by =
untrusted servers.=20
Current advice to users:=20
There is no way to use this site without JavaScript.=20
(Mail.com is trying to get as many as possible money=20
from javascript Advertisement pop-ups)=20
As result there is only one way to protect yourself:=20
"Do not open any email's with attachments=20
until Mail.com will fix this bug"=20
Credit:=20
This bug was not originally found by me.=20
I would like to thank one "black hat" hacker (possibly from Russia)=20
who was trying to take control over my email account.=20
Feel free to contact me for more details,=20
--=20
Andrew G. Tereschenko=20
TAG Software, Research Lab=20
Odessa, Ukraine=20
secure@tag.odessa.ua=20
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
------=_NextPart_000_008E_01C250DC.8113C960
Content-Type: text/html;
charset="koi8-r"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dkoi8-r">
<META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D"Courier New" size=3D1>Old news...</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D1>I allready wrote a javascript =
virus for=20
mail.com, but they just didn't care ;(</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D1></FONT> </DIV>
<DIV><FONT face=3D"Courier New" size=3D1>SkyLined</FONT></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dsecure.bugtraq@tag.odessa.ua=20
href=3D"mailto:secure.bugtraq@tag.odessa.ua">Andrew G. Tereschenko</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dfull-disclosure@lists.netsys.com=20
href=3D"mailto:full-disclosure@lists.netsys.com">Full Disclosure</A> ; =
<A=20
title=3Dbugtraq@securityfocus.com=20
href=3D"mailto:bugtraq@securityfocus.com">BugTraq</A> ; <A=20
title=3Dlist@securiteam.com =
href=3D"mailto:list@securiteam.com">Securiteam</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, August 29, 2002 =
5:07</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Full-Disclosure] =
iName/Mail.com=20
security holes opens door to millions of e-mail accounts</DIV>
<DIV><BR></DIV>iName/Mail.com security holes opens door to millions of =
e-mail=20
accounts <BR><BR><BR>Millions of free Internet e-mail accounts =
provided <BR>by=20
iName/MAIL.COM service are vulnerable to a major security <BR>breach =
that=20
allow to change account information <BR>including password hint/answer =
as=20
result a password too. <BR><BR><BR>The breach work via special email =
message=20
constaining javascript <BR>code in html file attachment. <BR>In case =
if user=20
will open this email in web mail interface <BR>this code will redirect =
user=20
browser to evil site. <BR>This site will redirect it back to mail.com =
page=20
changing account information. <BR>Because login session cookies are =
still=20
valid, account information will be changed. <BR><BR>Here is a list of =
email=20
domains hosted by MAIL.COM service: <BR><BR>-------- <BR>Mail.com, =
Email.com,=20
consultant.com, europe.com, mindless.com, <BR>earthling.net, =
myself.com,=20
post.com, techie.com, usa.com, <BR>writeme.com, 2die4.com, =
artlover.com,=20
bikerider.com, catlover.com, <BR>cliffhanger.com, cutey.com, =
doglover.com,=20
gardener.com, <BR>hot-shot.com, inorbit.com, loveable.com, =
mad.scientist.com,=20
<BR>playful.com, poetic.com, popstar.com, saintly.com, seductive.com,=20
<BR>soon.com, whoever.com, winning.com, witty.com, yours.com,=20
<BR>africamail.com, arcticmail.com, asia.com, australiamail.com,=20
<BR>europe.com, japan.com, samerica.com, usa.com, berlin.com, =
<BR>dublin.com,=20
london.com, madrid.com, moscowmail.com, munich.com, <BR>nycmail.com,=20
paris.com, rome.com, sanfranmail.com, singapore.com, <BR>tokyo.com,=20
accountant.com, adexec.com, allergist.com, alumnidirector.com,=20
<BR>archaeologist.com, chemist.com, clerk.com, columnist.com, =
comic.com,=20
<BR>consultant.com, counsellor.com, deliveryman.com, diplomats.com,=20
doctor.com, <BR>dr.com, engineer.com, execs.com, financier.com, =
geologist.com,=20
graphic-designer.com, <BR>hairdresser.net, insurer.com, =
journalist.com,=20
lawyer.com, legislator.com <BR>lobbyist.com, minister.com, =
musician.org,=20
optician.com, pediatrician.com, <BR>presidency.com, priest.com,=20
programmer.net, publicist.com, realtyagent.com, =
<BR>registerednurses.com,=20
repairman.com, representative.com, rescueteam.com, <BR>scientist.com,=20
sociologist.com, teacher.com, techie.com, umpire.com <BR><BR>and =
possibly some=20
others because mail.com hosting some non-free email ISP's <BR>-------- =
<BR><BR><BR>Proof: <BR><BR>Sample page with a exploit available here: =
<BR>(You can check it by clicking on "My Account"). <BR><BR>One of =
------=_NextPart_000_008E_01C250DC.8113C960--
<A=20
=
href=3D"http://tager.org/mail.com/">http://tager.org/mail.com/><BR><BR=
>You=20
can request test email to be sent into your iName/MAIL.COM account.=20
<BR>Opening this test email will redirect your browser twice. <BR>As =
result=20
your account information will be changed to values known to evil site. =
information=20
changed is a Password Hint/Answer. <BR>(I'm changing it to some random =
values=20
to prevent <BR>exploiting this hole by lame script kiddies) <BR><BR>In =
case if=20
evil site will store information from all successful attempts <BR>it =
will be=20
able to easy obtain user's password by "Forgot Password" service.=20
<BR><BR><BR>A bit more technical details: <BR>There is at least two =
bugs on=20
mail.com used for this: <BR>1. /scripts/mail/mesg.mail failed to =
remove script=20
code from html attachment <BR>2. /scripts/common/profile.cgi accept=20
information submitted by untrusted servers. <BR><BR><BR>Current advice =
to=20
users: <BR>There is no way to use this site without JavaScript. =
<BR>(Mail.com=20
is trying to get as many as possible money <BR>from javascript =
Advertisement=20
pop-ups) <BR><BR>As result there is only one way to protect yourself: =
<BR>"Do=20
not open any email's with attachments <BR>until Mail.com will fix this =
bug"=20
<BR><BR><BR>Credit: <BR>This bug was not originally found by me. <BR>I =
would=20
like to thank one "black hat" hacker (possibly from Russia) <BR>who =
was trying=20
to take control over my email account. <BR><BR><BR>Feel free to =
contact me for=20
more details, <BR>-- <BR>Andrew G. Tereschenko <BR>TAG Software, =
Research Lab=20
<BR>Odessa, Ukraine <BR><A=20
href=3D"mailto:secure@tag.odessa.ua">secure@tag.odessa.ua</A>=20
=
<BR><BR>_______________________________________________<BR>Full-Disclosur=
e -=20
We believe in it.<BR>Charter: <A=20
=
href=3D"http://lists.netsys.com/full-disclosure-charter.html">http://list=
s.netsys.com/full-disclosure-charter.html</A><BR></BLOCKQUOTE></BODY></HT=
ML>
Relevant Pages
|
