-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following should be read by developpement teams of web applications
dealing with private user data, and especially webmail services.

I All Webmails
- --------------
I am currently researching on the degree of security of many webmails sites
and applications, by focusing on the client side of the problem, that is:
the user behavior, and the content of the web pages sent to his Internet
browser. The security level of these services seems to be very low: many
holes discussed in the past on Internet can still be exploited, allowing a
third party to read the user's emails and account preferences, retrieve his
password, etc.

Why ?
- - Many of these services or applications are free, so they don't want to
(or cannnot) spend money for security audits.
- - Developpers don't have a good understanding of "client-side" problems.
- - Knowledge about previously discovered vulnerabilities is not centralized.
Some of them were published in a different context. So it's easy to miss
something when searching the Internet.

That's why, in a few weeks, I will post on BugTraq a technical security
paper explaining *known* vulnerabilities and tricks used in the past to
bypass protections of webmail services. It will be hepful to perform
audits, and will increase users and developpers understanding of these
problems. I hope it will open the way to a decent security level.
Due to the huge number of vulnerable sites and applications, I suggest that
webmails developpers send me their signed PGP key so that I can give them
this technical paper *before* I release it to the public.

[ Note: I would also appreciate comments on my paper from a security
expert, and it would be nice if a specialist wanted to add a reference text
about good filtering of HTML content. ]

II Yahoo! Mail
- --------------
Cross-site scripting vulnerabilities on the yahoo.com domain was reported
six months ago on Bugtraq by mparcenshushmail.com. (see
http://www.sidesport.org) It allows a javascript code to steal the session
cookie and send it over internet to a CGI script, which could then gain
access to the mailbox of the user without knowledge of his password. My
tests seem to show that no check on the IP adress of the user (and the HTTP
headers) is performed.
It seems that many pages are still vulnerables to cross-site scripting on
*.yahoo.com. For instance, the CGI feedback forms:
http://add.yahoo.com/fast/help/uk/mail/cgi_spam?send=yo&yid=%22%3E%3C/td%3E%3Cscript%20Language=JavaScript1.1%3Ealert(document.cookie)%3C/script%3E%3Ctd%20t=%22

I will not develop that further now. Other Yahoo! Mail potential security
problems are currently under investigation (see
http://www.dmpfrance.com/YahooJavaScript.jpg).
I'd like to be contacted by a Yahoo executive so that Yahoo can apply fixes
before I disclose anything. A 2-hours phone call to Yahoo France was
unsuccessful (I could only spoke to a technician who did not wanted to
disturb a US engineer for such a little thing). I hope this post will help.

III Users Protection
- --------------------
Users of webmail services should:
- - disable Active Scripting (sadly, many webmails need javascript to operate
properly)
- - disable automatic image loading
- - view messages in plain text rather than in html
- - nether click on a link submitted in an email, even if it is to a trusted
website.

FozZy
Hackademy staff, Paris, France.
"Security seen from a hacker's point of view is always one step beyond
traditional security"

http://www.dmpfrance.com
fozzydmpfrance.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPAsJbBr0kU1q7chOEQI6vACfWm6JbWLzTCJqQeCzJ0l175oN9T0AoMqN
Ua7rM9fZsHbXFKKewGyIUjFo
=V534
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]