TOPIC: Hushmail.com accounts vulnerable to script attack. ADVISORY NR: 200102 DATE: 12-09-01 VULNERABILITY FOUND AND WRITTEN BY: 1; (One Semicolon) CONTACT INFORMATION: http://onesemicolon.cjb.net me@onesemicolon.cjb.net STATUS: Hushmail.com was contacted on September 5, 2001 using the support form. No reply was received. DESCRIPTION Hushmail.com is a web based mail service that promotes itself as a secure solution. This vulnerability was tested to work in Internet Explorer 5.5. VULNERABILITY Whenever you login to a Hushmail account the inbox is opened. If you send a email with a specially formed "from" field, which usually contains a name, you can execute javascript, vbscript, etc. on the computer of the person who logged in. This also works for the "topic" field. FIX Hushmail.com has not yet fixed this to my knowledge. FINAL NOTES Recently a advisory was posted on Bugtraq about a similar bug in Hotmail. This advisory was not written because of that. I found this particular problem on September 5th. On the same day I contacted Hushmail.com. I sent Hushmail a simple proof of concept, because it is easy enough to make this work I do not see the need to produce example code. You WILL have to make some adjustments on how you send your script to make it work.
