Full Disclosure mailing list archives
iName/Mail.com security holes opens door to millions of e-mail accounts
From: full-disclosure () lists netsys com (Berend-Jan Wever)
Date: Sat, 31 Aug 2002 10:52:30 +0200
This is a multi-part message in MIME format. ------=_NextPart_000_008E_01C250DC.8113C960 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Old news... I allready wrote a javascript virus for mail.com, but they just didn't = care ;( SkyLined ----- Original Message -----=20 From: Andrew G. Tereschenko=20 To: Full Disclosure ; BugTraq ; Securiteam=20 Sent: Thursday, August 29, 2002 5:07 Subject: [Full-disclosure] iName/Mail.com security holes opens door to = millions of e-mail accounts iName/Mail.com security holes opens door to millions of e-mail = accounts=20 Millions of free Internet e-mail accounts provided=20 by iName/MAIL.COM service are vulnerable to a major security=20 breach that allow to change account information=20 including password hint/answer as result a password too.=20 The breach work via special email message constaining javascript=20 code in html file attachment.=20 In case if user will open this email in web mail interface=20 this code will redirect user browser to evil site.=20 This site will redirect it back to mail.com page changing account = information.=20 Because login session cookies are still valid, account information = will be changed.=20 Here is a list of email domains hosted by MAIL.COM service:=20 --------=20 Mail.com, Email.com, consultant.com, europe.com, mindless.com,=20 earthling.net, myself.com, post.com, techie.com, usa.com,=20 writeme.com, 2die4.com, artlover.com, bikerider.com, catlover.com,=20 cliffhanger.com, cutey.com, doglover.com, gardener.com,=20 hot-shot.com, inorbit.com, loveable.com, mad.scientist.com,=20 playful.com, poetic.com, popstar.com, saintly.com, seductive.com,=20 soon.com, whoever.com, winning.com, witty.com, yours.com,=20 africamail.com, arcticmail.com, asia.com, australiamail.com,=20 europe.com, japan.com, samerica.com, usa.com, berlin.com,=20 dublin.com, london.com, madrid.com, moscowmail.com, munich.com,=20 nycmail.com, paris.com, rome.com, sanfranmail.com, singapore.com,=20 tokyo.com, accountant.com, adexec.com, allergist.com, = alumnidirector.com,=20 archaeologist.com, chemist.com, clerk.com, columnist.com, comic.com,=20 consultant.com, counsellor.com, deliveryman.com, diplomats.com, = doctor.com,=20 dr.com, engineer.com, execs.com, financier.com, geologist.com, = graphic-designer.com,=20 hairdresser.net, insurer.com, journalist.com, lawyer.com, = legislator.com=20 lobbyist.com, minister.com, musician.org, optician.com, = pediatrician.com,=20 presidency.com, priest.com, programmer.net, publicist.com, = realtyagent.com,=20 registerednurses.com, repairman.com, representative.com, = rescueteam.com,=20 scientist.com, sociologist.com, teacher.com, techie.com, umpire.com=20 and possibly some others because mail.com hosting some non-free email = ISP's=20 --------=20 Proof:=20 Sample page with a exploit available here: http://tager.org/mail.com/ You can request test email to be sent into your iName/MAIL.COM = account.=20 Opening this test email will redirect your browser twice.=20 As result your account information will be changed to values known to = evil site.=20 (You can check it by clicking on "My Account").=20 One of information changed is a Password Hint/Answer.=20 (I'm changing it to some random values to prevent=20 exploiting this hole by lame script kiddies)=20 In case if evil site will store information from all successful = attempts=20 it will be able to easy obtain user's password by "Forgot Password" = service.=20 A bit more technical details:=20 There is at least two bugs on mail.com used for this:=20 1. /scripts/mail/mesg.mail failed to remove script code from html = attachment=20 2. /scripts/common/profile.cgi accept information submitted by = untrusted servers.=20 Current advice to users:=20 There is no way to use this site without JavaScript.=20 (Mail.com is trying to get as many as possible money=20 from javascript Advertisement pop-ups)=20 As result there is only one way to protect yourself:=20 "Do not open any email's with attachments=20 until Mail.com will fix this bug"=20 Credit:=20 This bug was not originally found by me.=20 I would like to thank one "black hat" hacker (possibly from Russia)=20 who was trying to take control over my email account.=20 Feel free to contact me for more details,=20 --=20 Andrew G. Tereschenko=20 TAG Software, Research Lab=20 Odessa, Ukraine=20 secure () tag odessa ua=20 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ------=_NextPart_000_008E_01C250DC.8113C960 Content-Type: text/html; charset="koi8-r" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dkoi8-r"> <META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3D"Courier New" size=3D1>Old news...</FONT></DIV> <DIV><FONT face=3D"Courier New" size=3D1>I allready wrote a javascript = virus for=20 mail.com, but they just didn't care ;(</FONT></DIV> <DIV><FONT face=3D"Courier New" size=3D1></FONT> </DIV> <DIV><FONT face=3D"Courier New" size=3D1>SkyLined</FONT></DIV> <BLOCKQUOTE=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV> <DIV=20 style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: = black"><B>From:</B>=20 <A title=3Dsecure.bugtraq () tag odessa ua=20 href=3D"mailto:secure.bugtraq () tag odessa ua">Andrew G. Tereschenko</A> = </DIV> <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20 title=3Dfull-disclosure () lists netsys com=20 href=3D"mailto:full-disclosure () lists netsys com">Full Disclosure</A> ; = <A=20 title=3Dbugtraq () securityfocus com=20 href=3D"mailto:bugtraq () securityfocus com">BugTraq</A> ; <A=20 title=3Dlist () securiteam com = href=3D"mailto:list () securiteam com">Securiteam</A>=20 </DIV> <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, August 29, 2002 = 5:07</DIV> <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Full-Disclosure] = iName/Mail.com=20 security holes opens door to millions of e-mail accounts</DIV> <DIV><BR></DIV>iName/Mail.com security holes opens door to millions of = e-mail=20 accounts <BR><BR><BR>Millions of free Internet e-mail accounts = provided <BR>by=20 iName/MAIL.COM service are vulnerable to a major security <BR>breach = that=20 allow to change account information <BR>including password hint/answer = as=20 result a password too. <BR><BR><BR>The breach work via special email = message=20 constaining javascript <BR>code in html file attachment. <BR>In case = if user=20 will open this email in web mail interface <BR>this code will redirect = user=20 browser to evil site. <BR>This site will redirect it back to mail.com = page=20 changing account information. <BR>Because login session cookies are = still=20 valid, account information will be changed. <BR><BR>Here is a list of = email=20 domains hosted by MAIL.COM service: <BR><BR>-------- <BR>Mail.com, = Email.com,=20 consultant.com, europe.com, mindless.com, <BR>earthling.net, = myself.com,=20 post.com, techie.com, usa.com, <BR>writeme.com, 2die4.com, = artlover.com,=20 bikerider.com, catlover.com, <BR>cliffhanger.com, cutey.com, = doglover.com,=20 gardener.com, <BR>hot-shot.com, inorbit.com, loveable.com, = mad.scientist.com,=20 <BR>playful.com, poetic.com, popstar.com, saintly.com, seductive.com,=20 <BR>soon.com, whoever.com, winning.com, witty.com, yours.com,=20 <BR>africamail.com, arcticmail.com, asia.com, australiamail.com,=20 <BR>europe.com, japan.com, samerica.com, usa.com, berlin.com, = <BR>dublin.com,=20 london.com, madrid.com, moscowmail.com, munich.com, <BR>nycmail.com,=20 paris.com, rome.com, sanfranmail.com, singapore.com, <BR>tokyo.com,=20 accountant.com, adexec.com, allergist.com, alumnidirector.com,=20 <BR>archaeologist.com, chemist.com, clerk.com, columnist.com, = comic.com,=20 <BR>consultant.com, counsellor.com, deliveryman.com, diplomats.com,=20 doctor.com, <BR>dr.com, engineer.com, execs.com, financier.com, = geologist.com,=20 graphic-designer.com, <BR>hairdresser.net, insurer.com, = journalist.com,=20 lawyer.com, legislator.com <BR>lobbyist.com, minister.com, = musician.org,=20 optician.com, pediatrician.com, <BR>presidency.com, priest.com,=20 programmer.net, publicist.com, realtyagent.com, = <BR>registerednurses.com,=20 repairman.com, representative.com, rescueteam.com, <BR>scientist.com,=20 sociologist.com, teacher.com, techie.com, umpire.com <BR><BR>and = possibly some=20 others because mail.com hosting some non-free email ISP's <BR>-------- = <BR><BR><BR>Proof: <BR><BR>Sample page with a exploit available here: = <A=20 = href=3D"http://tager.org/mail.com/">http://tager.org/mail.com/</A><BR><BR=
You=20
can request test email to be sent into your iName/MAIL.COM account.=20 <BR>Opening this test email will redirect your browser twice. <BR>As = result=20 your account information will be changed to values known to evil site. = <BR>(You can check it by clicking on "My Account"). <BR><BR>One of = information=20 changed is a Password Hint/Answer. <BR>(I'm changing it to some random = values=20 to prevent <BR>exploiting this hole by lame script kiddies) <BR><BR>In = case if=20 evil site will store information from all successful attempts <BR>it = will be=20 able to easy obtain user's password by "Forgot Password" service.=20 <BR><BR><BR>A bit more technical details: <BR>There is at least two = bugs on=20 mail.com used for this: <BR>1. /scripts/mail/mesg.mail failed to = remove script=20 code from html attachment <BR>2. /scripts/common/profile.cgi accept=20 information submitted by untrusted servers. <BR><BR><BR>Current advice = to=20 users: <BR>There is no way to use this site without JavaScript. = <BR>(Mail.com=20 is trying to get as many as possible money <BR>from javascript = Advertisement=20 pop-ups) <BR><BR>As result there is only one way to protect yourself: = <BR>"Do=20 not open any email's with attachments <BR>until Mail.com will fix this = bug"=20 <BR><BR><BR>Credit: <BR>This bug was not originally found by me. <BR>I = would=20 like to thank one "black hat" hacker (possibly from Russia) <BR>who = was trying=20 to take control over my email account. <BR><BR><BR>Feel free to = contact me for=20 more details, <BR>-- <BR>Andrew G. Tereschenko <BR>TAG Software, = Research Lab=20 <BR>Odessa, Ukraine <BR><A=20 href=3D"mailto:secure () tag odessa ua">secure () tag odessa ua</A>=20 = <BR><BR>_______________________________________________<BR>Full-Disclosur= e -=20 We believe in it.<BR>Charter: <A=20 = href=3D"http://lists.netsys.com/full-disclosure-charter.html">http://list= s.netsys.com/full-disclosure-charter.html</A><BR></BLOCKQUOTE></BODY></HT= ML> ------=_NextPart_000_008E_01C250DC.8113C960--
Current thread:
- iName/Mail.com security holes opens door to millions of e-mail accounts Andrew G. Tereschenko (Aug 28)
- iName/Mail.com security holes opens door to millions of e-mail accounts Colt Peacemaker (Aug 29)
- iName/Mail.com security holes opens door to millions of e-mail accounts Andrew G. Tereschenko (Aug 29)
- iName/Mail.com security holes opens door to millions of e-mail accounts Colt Peacemaker (Aug 29)
- iName/Mail.com security holes opens door to millions of e-mail accounts Andrew G. Tereschenko (Aug 30)
- iName/Mail.com security holes opens door to millions of e-mail accounts Andrew G. Tereschenko (Aug 29)
- iName/Mail.com security holes opens door to millions of e-mail accounts Colt Peacemaker (Aug 29)
- iName/Mail.com security holes opens door to millions of e-mail accounts Berend-Jan Wever (Aug 31)