lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: skylined at edup.tudelft.nl (Berend-Jan Wever)
Subject: iName/Mail.com security holes opens door to millions of e-mail accounts

Old news...
I allready wrote a javascript virus for mail.com, but they just didn't care ;(

SkyLined
  ----- Original Message ----- 
  From: Andrew G. Tereschenko 
  To: Full Disclosure ; BugTraq ; Securiteam 
  Sent: Thursday, August 29, 2002 5:07
  Subject: [Full-Disclosure] iName/Mail.com security holes opens door to millions of e-mail accounts


  iName/Mail.com security holes opens door to millions of e-mail accounts 


  Millions of free Internet e-mail accounts provided 
  by iName/MAIL.COM service are vulnerable to a major security 
  breach that allow to change account information 
  including password hint/answer as result a password too. 


  The breach work via special email message constaining javascript 
  code in html file attachment. 
  In case if user will open this email in web mail interface 
  this code will redirect user browser to evil site. 
  This site will redirect it back to mail.com page changing account information. 
  Because login session cookies are still valid, account information will be changed. 

  Here is a list of email domains hosted by MAIL.COM service: 

  -------- 
  Mail.com, Email.com, consultant.com, europe.com, mindless.com, 
  earthling.net, myself.com, post.com, techie.com, usa.com, 
  writeme.com, 2die4.com, artlover.com, bikerider.com, catlover.com, 
  cliffhanger.com, cutey.com, doglover.com, gardener.com, 
  hot-shot.com, inorbit.com, loveable.com, mad.scientist.com, 
  playful.com, poetic.com, popstar.com, saintly.com, seductive.com, 
  soon.com, whoever.com, winning.com, witty.com, yours.com, 
  africamail.com, arcticmail.com, asia.com, australiamail.com, 
  europe.com, japan.com, samerica.com, usa.com, berlin.com, 
  dublin.com, london.com, madrid.com, moscowmail.com, munich.com, 
  nycmail.com, paris.com, rome.com, sanfranmail.com, singapore.com, 
  tokyo.com, accountant.com, adexec.com, allergist.com, alumnidirector.com, 
  archaeologist.com, chemist.com, clerk.com, columnist.com, comic.com, 
  consultant.com, counsellor.com, deliveryman.com, diplomats.com, doctor.com, 
  dr.com, engineer.com, execs.com, financier.com, geologist.com, graphic-designer.com, 
  hairdresser.net, insurer.com, journalist.com, lawyer.com, legislator.com 
  lobbyist.com, minister.com, musician.org, optician.com, pediatrician.com, 
  presidency.com, priest.com, programmer.net, publicist.com, realtyagent.com, 
  registerednurses.com, repairman.com, representative.com, rescueteam.com, 
  scientist.com, sociologist.com, teacher.com, techie.com, umpire.com 

  and possibly some others because mail.com hosting some non-free email ISP's 
  -------- 


  Proof: 

  Sample page with a exploit available here: http://tager.org/mail.com/

  You can request test email to be sent into your iName/MAIL.COM account. 
  Opening this test email will redirect your browser twice. 
  As result your account information will be changed to values known to evil site. 
  (You can check it by clicking on "My Account"). 

  One of information changed is a Password Hint/Answer. 
  (I'm changing it to some random values to prevent 
  exploiting this hole by lame script kiddies) 

  In case if evil site will store information from all successful attempts 
  it will be able to easy obtain user's password by "Forgot Password" service. 


  A bit more technical details: 
  There is at least two bugs on mail.com used for this: 
  1. /scripts/mail/mesg.mail failed to remove script code from html attachment 
  2. /scripts/common/profile.cgi accept information submitted by untrusted servers. 


  Current advice to users: 
  There is no way to use this site without JavaScript. 
  (Mail.com is trying to get as many as possible money 
  from javascript Advertisement pop-ups) 

  As result there is only one way to protect yourself: 
  "Do not open any email's with attachments 
  until Mail.com will fix this bug" 


  Credit: 
  This bug was not originally found by me. 
  I would like to thank one "black hat" hacker (possibly from Russia) 
  who was trying to take control over my email account. 


  Feel free to contact me for more details, 
  -- 
  Andrew G. Tereschenko 
  TAG Software, Research Lab 
  Odessa, Ukraine 
  secure@....odessa.ua 

  _______________________________________________
  Full-Disclosure - We believe in it.
  Charter: http://lists.netsys.com/full-disclosure-charter.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020831/098ef288/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ