Black Watch Labs Security Advisory #00-02 (March 6, 2000) - Weak Token in Mail.Com Application Allows Compromise of Arbitrary User's Data. A mail application used by some free mail services employs a weak security scheme. It assigns session-IDs ("tokens") for logged-in users which allow reading of arbitrary users' messages and private information.
7815a9188518f7dca9bb895ee2d46cbe8a4c31d7ce086fa88d7be614939b7586 Black Watch Lab - Vulnerabilities
Black Watch Labs ID: BWL-00-02
Weak Token in Mail.Com Application Allows Compromise of Arbitrary User's Data
Black Watch Labs Security Advisory #00-02 (March 3, 2000)
Name:
Weak Token in Mail.Com Application Allows Compromise of Arbitrary User's Data
Black Watch Labs ID:
BWL-00-02
Date Released:
March 3, 2000
Category:
Application (HTML) - Weak Session Token
Products affected:
Free Web mail services powered by mail.com (two underlying free Web mail applications were identified, and this
vulnerability pertains to only one of them. Services that use the other application are not vulnerable as far as we
know. The free Web mail offered directly by mail.com is not vulnerable)
Number of affected sites/pages/users:
We currently know of two major sites that use this application. It is estimated that the total number of subscribers
to these services is in the order of magnitude of hundreds of thousands.
Summary:
The mail application employs a weak security scheme. It assigns session-IDs ("tokens") for logged-in users which allow
reading of arbitrary users' messages and private information, if enough effort is invested.
Analysis:
The mail service, upon successful login, assigns an encoded session-ID for the user, in the following manner:
1. The mailbox's number (a decimal number consisting of around 8 digits) is concatenated with a colon symbol, and the
current time (in seconds since 01/01/1970, based on the server's clock, 9-10 decimal digits) is appended to it,
reading nnnnnnnn:ttttttttt (where nnnnnnnn is the number of the mailbox, and ttttttttt is the time). This string
will be referred to as the clear session-ID.
2. A base letter is randomly generated, probably in the range A-J.
3. The encoded session-ID consists of the base letter, concatenated with pairs of capital letters, each pair
conforming to a character in the clear session-ID, where this character's ASCII code is represented in two decimal
digits, and these digits are taken as an offset relative to the base letter. For example, if the base letter is A,
then a character "1", whose ASCII code is 49 is represented as EJ, and if the base letter is G and the character
to encode is ":", whose ASCII code is 58, then the encoded representation is LO.
This encoded session-ID identifies the session, and is given back to the user via a cookie (if the user is willing to
accept such one), or as part of the URL. In both cases, the name of the parameter (or the cookie) is "iNAME", e.g.
iNAME=BFKFGGGGHGBGIGHGFGJGIGDGFGIGCGDGFGDGI. In many cases we encountered a situation wherein both the cookie and the
URL trailer were sent to the user.
Apparently, the session is identified by the encoded session-ID, and by it alone. Empirically, the session is not
accessible if one changes the timestamp, the mailbox number, or even the base-letter (of course, re-adjusting the rest
of the string).
The session is alive as long as the user has not logged-out, and the account is not idle for longer than 6 hours.
Therefore, if an attacker gains the encoded-session-ID while the session is still alive, he/she can access all the
information residing in the user account, such as personal information and messages.
The encoded session-ID can be reconstructed statistically (that is, an attacker can generate several candidates, one
of which will be correct) relatively easily. First, the attacker needs to guess (or know beforehand) a mailbox number.
Then, the attacker should estimate when the owner of the mailbox accesses the mailbox (a fair estimate would be once a
day). Next, the attacker needs to know the approximate time on the mail server (easily done if the attacker opens a
valid account there, and decodes the session-ID which contains the server time). Now, in order to gain access to the
mailbox, the attacker needs to write a script that generates for each second of the day, all possible 10 encoded
session-IDs (one per each possible base-letter), and send these to the server (either as a cookie or embedded into a
request URL). If indeed the owner of the mailbox logged-in during the day, then the script will discover it, and as a
final step in the script, it should get all the mailbox info.
In a side note it should be stated that the application does not sanitize HTML and JavaScript when a user of the
application views the body of a mail message sent to him/her. As a result, most of the standard exploits (e.g.
embedding links and Javascripts in various tags) work well and can be used as standalone attacks or in conjunction
with the above vulnerability (e.g. to establish the initial link between email address and mailbox number)
Exploits:
Identifying the vulnerable application can be done by checking whether the suspected application is willing to serve
clients that disallow cookies (only the vulnerable application does that), and that once the user logged-in, the URLs
have the "iNAME=..." trailer. If such is the case, the attack method described above is applicable. Naturally we do
not provide an automated script that implements the attack.
Vendor Status:
Vendors using the mail.com product have been notified as has mail.com.
Vendor Patch or workaround:
Not available at the time of this release.
About Black Watch Labs (www.perfectotech.com/blackwatchlabs/)
Black Watch Labs is a research group operated by Perfecto Technologies Inc., the leader in Web Application Security
Management. Black Watch Labs was established in order to further the knowledge of the Internet community in the arena
of Web application security management. Black Watch Labs publishes security advisories regularly, which are maintained
at http://www.perfectotech.com/blackwatchlabs/, and are also posted to relevant security lists and Web sites. Black
Watch Labs also operates a Web application security mailing list, which can be subscribed to at
http://www.perfectotech.com/blackwatchlabs/. For more info about Black Watch Labs and Web Application Security
Management, please call (408) 855-9500 or email BlackWatchLabs@perfectotech.com.
About Perfecto Technologies (http://www.perfectotech.com/)
Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto Technologies pioneered the market for Web
Application Security Management software. AppShield, Perfecto Technologies' flagship product offering, is the first to
provide extreme security for customer-facing applications in dynamic Web site environments. Perfecto Technologies has
customers in many sectors including, banking, retailing, finance, government and healthcare. Privately held, Perfecto
Technologies is funded by blue-chip venture capital firms and industry leaders, including Sequoia Capital, Walden and
Intel Corporation. More information about Perfecto Technologies may be obtained by visiting the Company's Web site at
http://www.perfectotech.com/ or by calling the Company directly at (408) 855-9500.
Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved.
Permission is hereby granted to reproduce and distribute the application security alerts herein in their entirety,
provided the information, this notice and all other Perfecto Technologies marks remain intact.
Specific Limitations on Use of the Black Watch Labs Advisories
THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON
THE INTERNET, INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS ADVISORY IS SOLELY FOR THE
PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY
PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE,
INCLUDING TO VIOLATE THE SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY IMPROPER
PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND
OTHER COUNTRIES.
NO WARRANTY
Any material furnished by Perfecto Technologies is furnished on an "as is" basis and may change without notice.
Perfecto Technologies makes no warranties of any kind, either expressed or implied as to any matter including but not
limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use
of the material. Neither does Perfecto Technologies make any warranty of any kind with respect to freedom from patent,
trademark or copyright infringement. In no event shall Perfecto Technologies be liable for any damages whatsoever
arising out of or in connection with the use or spread of this information. Any use of this information is at the
user's own risk.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed