Bugtraq mailing list archives
Re: Security flaws in Yahoo Mail
From: marcs () ZNEP COM (Marc Slemko)
Date: Mon, 13 Oct 1997 10:54:50 -0600
On Sun, 12 Oct 1997, andrew shieh wrote:
Yahoo recently opened a free, web-based mail service at http://mail.yahoo.com/. I believe they purchased this from Four11 or Rocketmail. It has several security flaws in its POP server access. It has a capability to read external mail into your yahoo mail account via POP3. This works fine.
I'm not particularily thrilled with Hotmail's setup either. I am sure this must have been discussed before, but can't recall it so...
From what I can tell, it authenticates you based on the URL you ask
for (some user information is embedded in it; not the password though) and the IP address you are coming from. I'm assuming there is some timeout on the IP address; hmm... looking further, perhaps not. It may just keep the last used one. That means that if you send hotmail users a message, get them to follow on a link to your webserver, log their referer header then gain access to the IP they were coming from (say they come from a proxy that you can get access to use somehow, eg. AOL where you can use an AOL account or some proxy that doesn't properly restrict access) then you can read all their mail and send messages from them with the headers and hotmail logs showing they sent them. What I can not understand is why Hotmail is using this method of authentication. I certainly agree that all other methods (with the possible exception of client certificates--but that is often not practical) available right now aren't very good, but that doesn't mean you should pick the worst. I sent myself a mail with an ad for free sex. Since everyone knows that such things are always true, I clicked on the link. I then looked at my webserver: (manually wrapped) users.worldgate.com|alive.worldgate.com|GET /~marcs/freesex/ HTTP/1.0|\ text/html|404|1997/10/13-10:45:19|-|168|-|-|\ http://207.82.250.251/cgi-bin/getmsg?disk=207.82.250.162_d230&login=slemko\ &f=33793&curmbox=ACTIVE&msg=MSG876760995.5&start=143&len=695|\ Mozilla/3.01Gold (X11; I; FreeBSD 2.1.5-RELEASE i386) Then all I have to do is access the proxy on the host I came from (too bad you need a password), and poof I can access my mailbox from anywhere with no information other than that contained in the above log entry. The risk isn't tremendous, but it is there. They do have an option of some sort that uses cookies, but I'm not sure if it helps anything security wise because they just tout it as something to work around things like proxies with multiple IPs.
Current thread:
- Security flaws in Yahoo Mail andrew shieh (Oct 12)
- Re: Security flaws in Yahoo Mail Marc Slemko (Oct 13)
- Re: Security flaws in Yahoo Mail Andrew Brown (Oct 14)
- Re: Security flaws in Yahoo Mail Marc Slemko (Oct 13)