Full Disclosure mailing list archives

iName/Mail.com security holes opens door to millions of e-mail accounts

From: full-disclosure () lists netsys com (Berend-Jan Wever)
Date: Sat, 31 Aug 2002 10:52:30 +0200

This is a multi-part message in MIME format.

------=_NextPart_000_008E_01C250DC.8113C960
Content-Type: text/plain;
        charset="koi8-r"
Content-Transfer-Encoding: quoted-printable

Old news...
I allready wrote a javascript virus for mail.com, but they just didn't =
care ;(

SkyLined
  ----- Original Message -----=20
  From: Andrew G. Tereschenko=20
  To: Full Disclosure ; BugTraq ; Securiteam=20
  Sent: Thursday, August 29, 2002 5:07
  Subject: [Full-disclosure] iName/Mail.com security holes opens door to =
millions of e-mail accounts


  iName/Mail.com security holes opens door to millions of e-mail =
accounts=20


  Millions of free Internet e-mail accounts provided=20
  by iName/MAIL.COM service are vulnerable to a major security=20
  breach that allow to change account information=20
  including password hint/answer as result a password too.=20


  The breach work via special email message constaining javascript=20
  code in html file attachment.=20
  In case if user will open this email in web mail interface=20
  this code will redirect user browser to evil site.=20
  This site will redirect it back to mail.com page changing account =
information.=20
  Because login session cookies are still valid, account information =
will be changed.=20

  Here is a list of email domains hosted by MAIL.COM service:=20

  --------=20
  Mail.com, Email.com, consultant.com, europe.com, mindless.com,=20
  earthling.net, myself.com, post.com, techie.com, usa.com,=20
  writeme.com, 2die4.com, artlover.com, bikerider.com, catlover.com,=20
  cliffhanger.com, cutey.com, doglover.com, gardener.com,=20
  hot-shot.com, inorbit.com, loveable.com, mad.scientist.com,=20
  playful.com, poetic.com, popstar.com, saintly.com, seductive.com,=20
  soon.com, whoever.com, winning.com, witty.com, yours.com,=20
  africamail.com, arcticmail.com, asia.com, australiamail.com,=20
  europe.com, japan.com, samerica.com, usa.com, berlin.com,=20
  dublin.com, london.com, madrid.com, moscowmail.com, munich.com,=20
  nycmail.com, paris.com, rome.com, sanfranmail.com, singapore.com,=20
  tokyo.com, accountant.com, adexec.com, allergist.com, =
alumnidirector.com,=20
  archaeologist.com, chemist.com, clerk.com, columnist.com, comic.com,=20
  consultant.com, counsellor.com, deliveryman.com, diplomats.com, =
doctor.com,=20
  dr.com, engineer.com, execs.com, financier.com, geologist.com, =
graphic-designer.com,=20
  hairdresser.net, insurer.com, journalist.com, lawyer.com, =
legislator.com=20
  lobbyist.com, minister.com, musician.org, optician.com, =
pediatrician.com,=20
  presidency.com, priest.com, programmer.net, publicist.com, =
realtyagent.com,=20
  registerednurses.com, repairman.com, representative.com, =
rescueteam.com,=20
  scientist.com, sociologist.com, teacher.com, techie.com, umpire.com=20

  and possibly some others because mail.com hosting some non-free email =
ISP's=20
  --------=20


  Proof:=20

  Sample page with a exploit available here: http://tager.org/mail.com/

  You can request test email to be sent into your iName/MAIL.COM =
account.=20
  Opening this test email will redirect your browser twice.=20
  As result your account information will be changed to values known to =
evil site.=20
  (You can check it by clicking on "My Account").=20

  One of information changed is a Password Hint/Answer.=20
  (I'm changing it to some random values to prevent=20
  exploiting this hole by lame script kiddies)=20

  In case if evil site will store information from all successful =
attempts=20
  it will be able to easy obtain user's password by "Forgot Password" =
service.=20


  A bit more technical details:=20
  There is at least two bugs on mail.com used for this:=20
  1. /scripts/mail/mesg.mail failed to remove script code from html =
attachment=20
  2. /scripts/common/profile.cgi accept information submitted by =
untrusted servers.=20


  Current advice to users:=20
  There is no way to use this site without JavaScript.=20
  (Mail.com is trying to get as many as possible money=20
  from javascript Advertisement pop-ups)=20

  As result there is only one way to protect yourself:=20
  "Do not open any email's with attachments=20
  until Mail.com will fix this bug"=20


  Credit:=20
  This bug was not originally found by me.=20
  I would like to thank one "black hat" hacker (possibly from Russia)=20
  who was trying to take control over my email account.=20


  Feel free to contact me for more details,=20
  --=20
  Andrew G. Tereschenko=20
  TAG Software, Research Lab=20
  Odessa, Ukraine=20
  secure () tag odessa ua=20

  _______________________________________________
  Full-Disclosure - We believe in it.
  Charter: http://lists.netsys.com/full-disclosure-charter.html


------=_NextPart_000_008E_01C250DC.8113C960
Content-Type: text/html;
        charset="koi8-r"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dkoi8-r">
<META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D"Courier New" size=3D1>Old news...</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D1>I allready wrote a javascript =
virus for=20
mail.com, but they just didn't care ;(</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D1></FONT>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D1>SkyLined</FONT></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
  <DIV=20
  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
  <A title=3Dsecure.bugtraq () tag odessa ua=20
  href=3D"mailto:secure.bugtraq () tag odessa ua">Andrew G. Tereschenko</A> =
</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
  title=3Dfull-disclosure () lists netsys com=20
  href=3D"mailto:full-disclosure () lists netsys com">Full Disclosure</A> ; =
<A=20
  title=3Dbugtraq () securityfocus com=20
  href=3D"mailto:bugtraq () securityfocus com">BugTraq</A> ; <A=20
  title=3Dlist () securiteam com =
href=3D"mailto:list () securiteam com">Securiteam</A>=20
  </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, August 29, 2002 =

5:07</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Full-Disclosure] =
iName/Mail.com=20
  security holes opens door to millions of e-mail accounts</DIV>
  <DIV><BR></DIV>iName/Mail.com security holes opens door to millions of =
e-mail=20
  accounts <BR><BR><BR>Millions of free Internet e-mail accounts =
provided <BR>by=20
  iName/MAIL.COM service are vulnerable to a major security <BR>breach =
that=20
  allow to change account information <BR>including password hint/answer =
as=20
  result a password too. <BR><BR><BR>The breach work via special email =
message=20
  constaining javascript <BR>code in html file attachment. <BR>In case =
if user=20
  will open this email in web mail interface <BR>this code will redirect =
user=20
  browser to evil site. <BR>This site will redirect it back to mail.com =
page=20
  changing account information. <BR>Because login session cookies are =
still=20
  valid, account information will be changed. <BR><BR>Here is a list of =
email=20
  domains hosted by MAIL.COM service: <BR><BR>-------- <BR>Mail.com, =
Email.com,=20
  consultant.com, europe.com, mindless.com, <BR>earthling.net, =
myself.com,=20
  post.com, techie.com, usa.com, <BR>writeme.com, 2die4.com, =
artlover.com,=20
  bikerider.com, catlover.com, <BR>cliffhanger.com, cutey.com, =
doglover.com,=20
  gardener.com, <BR>hot-shot.com, inorbit.com, loveable.com, =
mad.scientist.com,=20
  <BR>playful.com, poetic.com, popstar.com, saintly.com, seductive.com,=20
  <BR>soon.com, whoever.com, winning.com, witty.com, yours.com,=20
  <BR>africamail.com, arcticmail.com, asia.com, australiamail.com,=20
  <BR>europe.com, japan.com, samerica.com, usa.com, berlin.com, =
<BR>dublin.com,=20
  london.com, madrid.com, moscowmail.com, munich.com, <BR>nycmail.com,=20
  paris.com, rome.com, sanfranmail.com, singapore.com, <BR>tokyo.com,=20
  accountant.com, adexec.com, allergist.com, alumnidirector.com,=20
  <BR>archaeologist.com, chemist.com, clerk.com, columnist.com, =
comic.com,=20
  <BR>consultant.com, counsellor.com, deliveryman.com, diplomats.com,=20
  doctor.com, <BR>dr.com, engineer.com, execs.com, financier.com, =
geologist.com,=20
  graphic-designer.com, <BR>hairdresser.net, insurer.com, =
journalist.com,=20
  lawyer.com, legislator.com <BR>lobbyist.com, minister.com, =
musician.org,=20
  optician.com, pediatrician.com, <BR>presidency.com, priest.com,=20
  programmer.net, publicist.com, realtyagent.com, =
<BR>registerednurses.com,=20
  repairman.com, representative.com, rescueteam.com, <BR>scientist.com,=20
  sociologist.com, teacher.com, techie.com, umpire.com <BR><BR>and =
possibly some=20
  others because mail.com hosting some non-free email ISP's <BR>-------- =

  <BR><BR><BR>Proof: <BR><BR>Sample page with a exploit available here: =
<A=20
  =
href=3D"http://tager.org/mail.com/";>http://tager.org/mail.com/</A><BR><BR=

You=20

  can request test email to be sent into your iName/MAIL.COM account.=20
  <BR>Opening this test email will redirect your browser twice. <BR>As =
result=20
  your account information will be changed to values known to evil site. =

  <BR>(You can check it by clicking on "My Account"). <BR><BR>One of =
information=20
  changed is a Password Hint/Answer. <BR>(I'm changing it to some random =
values=20
  to prevent <BR>exploiting this hole by lame script kiddies) <BR><BR>In =
case if=20
  evil site will store information from all successful attempts <BR>it =
will be=20
  able to easy obtain user's password by "Forgot Password" service.=20
  <BR><BR><BR>A bit more technical details: <BR>There is at least two =
bugs on=20
  mail.com used for this: <BR>1. /scripts/mail/mesg.mail failed to =
remove script=20
  code from html attachment <BR>2. /scripts/common/profile.cgi accept=20
  information submitted by untrusted servers. <BR><BR><BR>Current advice =
to=20
  users: <BR>There is no way to use this site without JavaScript. =
<BR>(Mail.com=20
  is trying to get as many as possible money <BR>from javascript =
Advertisement=20
  pop-ups) <BR><BR>As result there is only one way to protect yourself: =
<BR>"Do=20
  not open any email's with attachments <BR>until Mail.com will fix this =
bug"=20
  <BR><BR><BR>Credit: <BR>This bug was not originally found by me. <BR>I =
would=20
  like to thank one "black hat" hacker (possibly from Russia) <BR>who =
was trying=20
  to take control over my email account. <BR><BR><BR>Feel free to =
contact me for=20
  more details, <BR>-- <BR>Andrew G. Tereschenko <BR>TAG Software, =
Research Lab=20
  <BR>Odessa, Ukraine <BR><A=20
  href=3D"mailto:secure () tag odessa ua">secure () tag odessa ua</A>=20
  =
<BR><BR>_______________________________________________<BR>Full-Disclosur=
e -=20
  We believe in it.<BR>Charter: <A=20
  =
href=3D"http://lists.netsys.com/full-disclosure-charter.html";>http://list=
s.netsys.com/full-disclosure-charter.html</A><BR></BLOCKQUOTE></BODY></HT=
ML>

------=_NextPart_000_008E_01C250DC.8113C960--

Current thread:

iName/Mail.com security holes opens door to millions of e-mail accounts Andrew G. Tereschenko (Aug 28)
- iName/Mail.com security holes opens door to millions of e-mail accounts Colt Peacemaker (Aug 29)
  - iName/Mail.com security holes opens door to millions of e-mail accounts Andrew G. Tereschenko (Aug 29)
    - iName/Mail.com security holes opens door to millions of e-mail accounts Colt Peacemaker (Aug 29)
    - iName/Mail.com security holes opens door to millions of e-mail accounts Andrew G. Tereschenko (Aug 30)
- iName/Mail.com security holes opens door to millions of e-mail accounts Berend-Jan Wever (Aug 31)