Re: Password cracking and webmail.
From: Winged (Winged_at_nofollow.com)
Date: Tue, 30 Aug 2005 18:39:02 -0500
> qewjf <firstname.lastname@example.org> writes:
>>According to a website I use: "XXX uses hi-tech software to prevent
>>password crackers from operating, but most web-email providers, such as
>>Hotmail, do not. Because anyone who has access to your email account can
>>request your XXX password, revealing your email address means that
>>anyone capable of hacking your email account can request your XXX
>>password. This happens around 300 times a day and in these instances,
>>there is nothing we can do to help you."
>>I do not understand this. When I access my webmail, I type in the
>>username/password and the page loads. If the combination is incorrect I
>>1. Are there crackers that work on web based e-mail? I thought you
>>had to download the password file and crack it locally.
>>2. How do they work?
>>3. Wouldn't the cracker be locked out after a few incorrect enteries?
> Many places will send y ou your password if you loose it. They send it to
> your email account on file. Thus if someone can get at your email account
> they can request thatthe password be sent to you and then read what the
> password is from your email.
Many users use the same password everywhere. Users use names, pets,
streets addresses etc on multiple sites. Very few users use complex and
sufficiently long passwords.
Some sites have their password files exposed that can be accessed using
for example a telnet session embedded HTML Java page from their free
website host, file may be hidden from the Internet but accessible
directly through their user web server site(there are other methods,
this is just an example). This allows password files to be cracked at
leisure, without provider even seeing traffic, though this would imply
someone was watching.
Many of the free web mail hosts do not set a max tries setting...causes
too many user support issues.
The most common "cracker" I have seen used on Yahoo are simple name
dictionary crackers. It is remarkable how successful even this simple
method appears to be.
Another method commonly used with Yahoo would be simply to place a
trojan on the machine you wanted using one of several buffer overflow
methods in their older Yahoo versions. Some of the exploits were
related to JAVA and others with the YAHOO tool itself. I am not aware
of any exploits in their current 6.0 version of IM however there are
several methods to obtain the victims IP and attack the remote user host
directly with other exploits.
Another method commonly used is posting links in rooms (probably some
sexy sounding girl with pics posted) where an exploit awaited users who
clicked links. Some of the profile pages had exploits embedded (varied
methods). Once trojaned getting passwords is easy.
For awhile I found IM exploits in Yahoo an interesting study in methods,
they ran the gambit. Yahoos password is good for their IM, mail,
portfolio, and other sensitive areas.
They have a difficult time fixing stupid users or compromised machines
which makes their options complex and difficult to manage, so they don't.
What do you expect for free, security?