-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The following should be read by developpement teams of web applications dealing with private user data, and especially webmail services. I All Webmails - -------------- I am currently researching on the degree of security of many webmails sites and applications, by focusing on the client side of the problem, that is: the user behavior, and the content of the web pages sent to his Internet browser. The security level of these services seems to be very low: many holes discussed in the past on Internet can still be exploited, allowing a third party to read the user's emails and account preferences, retrieve his password, etc. Why ? - - Many of these services or applications are free, so they don't want to (or cannnot) spend money for security audits. - - Developpers don't have a good understanding of "client-side" problems. - - Knowledge about previously discovered vulnerabilities is not centralized. Some of them were published in a different context. So it's easy to miss something when searching the Internet. That's why, in a few weeks, I will post on BugTraq a technical security paper explaining *known* vulnerabilities and tricks used in the past to bypass protections of webmail services. It will be hepful to perform audits, and will increase users and developpers understanding of these problems. I hope it will open the way to a decent security level. Due to the huge number of vulnerable sites and applications, I suggest that webmails developpers send me their signed PGP key so that I can give them this technical paper *before* I release it to the public. [ Note: I would also appreciate comments on my paper from a security expert, and it would be nice if a specialist wanted to add a reference text about good filtering of HTML content. ] II Yahoo! Mail - -------------- Cross-site scripting vulnerabilities on the yahoo.com domain was reported six months ago on Bugtraq by mparcensat_private (see http://www.sidesport.org) It allows a javascript code to steal the session cookie and send it over internet to a CGI script, which could then gain access to the mailbox of the user without knowledge of his password. My tests seem to show that no check on the IP adress of the user (and the HTTP headers) is performed. It seems that many pages are still vulnerables to cross-site scripting on *.yahoo.com. For instance, the CGI feedback forms: http://add.yahoo.com/fast/help/uk/mail/cgi_spam?send=yo&yid=%22%3E%3C/td%3E%3Cscript%20Language=JavaScript1.1%3Ealert(document.cookie)%3C/script%3E%3Ctd%20t=%22 I will not develop that further now. Other Yahoo! Mail potential security problems are currently under investigation (see http://www.dmpfrance.com/YahooJavaScript.jpg). I'd like to be contacted by a Yahoo executive so that Yahoo can apply fixes before I disclose anything. A 2-hours phone call to Yahoo France was unsuccessful (I could only spoke to a technician who did not wanted to disturb a US engineer for such a little thing). I hope this post will help. III Users Protection - -------------------- Users of webmail services should: - - disable Active Scripting (sadly, many webmails need javascript to operate properly) - - disable automatic image loading - - view messages in plain text rather than in html - - nether click on a link submitted in an email, even if it is to a trusted website. FozZy Hackademy staff, Paris, France. "Security seen from a hacker's point of view is always one step beyond traditional security" http://www.dmpfrance.com fozzyat_private -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPAsJbBr0kU1q7chOEQI6vACfWm6JbWLzTCJqQeCzJ0l175oN9T0AoMqN Ua7rM9fZsHbXFKKewGyIUjFo =V534 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 10:53:23 PST