Webmails security warning

[FozZy <FozZy () dmpfrance com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following should be read by developpement teams of web applications 
dealing with private user data, and especially webmail services.

I All Webmails
- --------------
I am currently researching on the degree of security of many webmails sites 
and applications, by focusing on the client side of the problem, that is: 
the user behavior, and the content of the web pages sent to his Internet 
browser. The security level of these services seems to be very low: many 
holes discussed in the past on Internet can still be exploited, allowing a 
third party to read the user's emails and account preferences, retrieve his 
password, etc.

Why ?
- - Many of these services or applications are free, so they don't want to 
(or cannnot) spend money for security audits.
- - Developpers don't have a good understanding of "client-side" problems.
- - Knowledge about previously discovered vulnerabilities is not centralized. 
Some of them were published in a different context. So it's easy to miss 
something when searching the Internet.

That's why, in a few weeks, I will post on BugTraq a technical security 
paper explaining *known* vulnerabilities and tricks used in the past to 
bypass protections of webmail services. It will be hepful to perform 
audits, and will increase users and developpers understanding of these 
problems. I hope it will open the way to a decent security level.
Due to the huge number of vulnerable sites and applications, I suggest that 
webmails developpers send me their signed PGP key so that I can give them 
this technical paper *before* I release it to the public.

[ Note: I would also appreciate comments on my paper from a security 
expert, and it would be nice if a specialist wanted to add a reference text 
about good filtering of HTML content. ]

II Yahoo! Mail
- --------------
Cross-site scripting vulnerabilities on the yahoo.com domain was reported 
six months ago on Bugtraq by mparcens () hushmail com. (see 
http://www.sidesport.org) It allows a javascript code to steal the session 
cookie and send it over internet to a CGI script, which could then gain 
access to the mailbox of the user without knowledge of his password. My 
tests seem to show that no check on the IP adress of the user (and the HTTP 
headers) is performed.
It seems that many pages are still vulnerables to cross-site scripting on 
*.yahoo.com. For instance, the CGI feedback forms:
http://add.yahoo.com/fast/help/uk/mail/cgi_spam?send=yo&yid=%22%3E%3C/td%3E%3Cscript%20Language=JavaScript1.1%3Ealert(document.cookie)%3C/script%3E%3Ctd%20t=%22

I will not develop that further now. Other Yahoo! Mail potential security 
problems are currently under investigation (see 
http://www.dmpfrance.com/YahooJavaScript.jpg).
I'd like to be contacted by a Yahoo executive so that Yahoo can apply fixes 
before I disclose anything. A 2-hours phone call to Yahoo France was 
unsuccessful (I could only spoke to a technician who did not wanted to 
disturb a US engineer for such a little thing). I hope this post will help.

III Users Protection
- --------------------
Users of webmail services should:
- - disable Active Scripting (sadly, many webmails need javascript to operate 
properly)
- - disable automatic image loading
- - view messages in plain text rather than in html
- - nether click on a link submitted in an email, even if it is to a trusted 
website.


FozZy
Hackademy staff, Paris, France.
"Security seen from a hacker's point of view is always one step beyond 
traditional security"

http://www.dmpfrance.com
fozzy () dmpfrance com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPAsJbBr0kU1q7chOEQI6vACfWm6JbWLzTCJqQeCzJ0l175oN9T0AoMqN
Ua7rM9fZsHbXFKKewGyIUjFo
=V534
-----END PGP SIGNATURE-----