Most webmails have major security holes allowing people to hijack accounts from other users. It is then possible to read/destroy emails, and read/change preferences, and sometimes (like in the Hotmail case) hack into the user's computer. If someone who is authenticated through the webmail has access to other web services, it is also possible for the malicious hacker to use them (that's why a webmail should never be integrated with online auction/bank account/stock exchange...). This is an old and well-known issue. But... I want to show that even the biggest companies have these security flaws, that are easy to find and easy to fix, but they don't really care about them, and I try to understand why. I focus here on how three different companies handle these privacy threats: - Microsoft : software developper, provides Internet services through Hotmail. - Yahoo! : all activities depend on Internet. - Vizzavi : a web portal from the big european media group Vivendi Universal. At this time (April 1st 2002), only Hotmail is fixed, although each company was contacted more than 3 weeks ago. This is a special class of security problems since it harms only the end user, with stealing of personal data like e-mails. The servers of the company providing this web service are not at risk, because the "hack" takes place at the level of the user's browser. There is no possibility of a global denial of service, no money loss, no intrusion detection so no action required from technical staff... So, from a financial point of view, there is no need for the companies to put too much money into securing their web services. But protecting the end user privacy should be a top priority, isn't it ? WHAT DO COMPANIES DO ? Warning: I talk only on the basis of my own experience with these companies, and I may be wrong... 1) MICROSOFT HOTMAIL [FIXED after 3 months] - They handle perfectly the relationship with the security community via secure@microsoft.com. Their response time is great (from 10 minutes to 24 hours). - They have the will to patch this kind of security flaws. And Microsoft France seems to care about these issues. - But they don't care enough ! The hole I found was really easy to find out (they could have find it themselves), and their first patch was bad : from December 2001 to March 2002, it was possible to steal the e-mails of users - and much more. More about this security hole : I had found a major security hole in December 2001. Because of a flaw in the design of their "malicious html" filter, there was a "magic string" that could totally disable this filter when reading an e-mail. This allows javascript to be embeded in an evil html message (allowing stealing of the session cookie and reading of e-mails), but more frightening is the possibility to make the user's browser display any html tag with any parameter, like IFRAME, OBJECT, etc. It was then possible to send a virus or hack into the hotmail user's computer, by triggering the security holes of Internet Explorer. For more details see vuln-dev: http://online.securityfocus.com/archive/82/246989 It took only a week for Microsoft to fix that. I published the vulnerability on Internet. Three months later, I took a look at it and I realized that the fix for this public vulnerability had a huge flaw. Fifteen minutes were enough to see that there were still a "magic code" disabling the html filter ! It seems that nobody cared to test the new filter. Here is this new "magic code" : <SCRIPT> </COMMENT> <!-- --> --> I used this successfully to inject a trojan horse into the computer of a hotmail user running an unpatched version of IE, without knowledge of his IP adress or anything except his Hotmail adress... I also downloaded all the emails in his mailbox with 1 line of javascript in an e-mail and a 4 lines cgi script on a webserver. Scaring. Only two days after I reported it, Microsoft issued a much stronger fix for this vulnerability. 2) YAHOO ! MAIL [NOT FIXED] - They don't have any contact adress, only feedback forms. I submitted three different forms but never got any answer. - By phoning to Yahoo France, I was not allowed to talk to the right person. The hotline staff seems not to be educated to care about these privacy problemes. - Sending an official letter to them was the solution. When I could talk to the right people, I saw they had the will to patch the holes, and I now have the e-mail adress of someone in charge of this at Yahoo. - But two or three people having a "will" is not enough. It seems to me that the company itself don't care if these people do a good job with that, and I also think this is not their main job. It took them 3 weeks to make correct patches last December... and they patched only one of of the two holes we found last month. Yahoo does not seem to have set up a policy about the handling of these "privacy problems". So, it is still possible to read other people's e-mail on Yahoo... More on this "new" holes we found (in fact, holes found before on other websites by other people, but with small changes): it is possible to insert a "script" tag into an html message by using these tricks : <_a<script> [fixed] <<script> (this one was found by BugSan) [NOT fixed] These codes were sent to Yahoo a month ago and published a week ago in France (Hackerz Voice newspaper). Why they fixed only the first one is a mystery to me. I hope this post will help to make them issue a fix very soon. (since I am not in Paris I don't have the email adress of my contact in Yahoo France, but the issue is already public, and the users' accounts are still at risk, so there is a need for a quick fix and that's why I am posting everything here). 3) VIZZAVI [NOT FIXED] - They give e-mails adresses for personal contacts on their website (Vizzavi officials). Good. - They did not answer to my emails. And the holes are still there. Bad. - They have a form to report "bugs". But they did not answer. - Vivendi Universal did not react to the letters we sent three weeks ago. - No reaction after the publication in France of these security holes : it is still possible to inject javascript into an e-mail with very basic things like <b onmousover="...">go here</b> or <img [line_break] src="javascript:alert(document.location)"> (the line break is needed to bypass a kind of strange filter), etc. [NOTHING fixed] Unlike Yahoo, Vizzavi is only a portal relying on non-internet activities. Unlike Microsoft, the other activities of Vivendi are not computer-related. So, they are probably not used to react to this kind of Computer Threats. TO CONCLUDE: WHAT SHOULD EVERY COMPANY DO ? - set up an email adress to report security problems, or add a "security" topic in their feedback forms. - educate the hotline staff : these kind of emails/feedback forms/phone calls should be given top priority, and transfered quickly to the right person. - have someone who can and WANT to handle these particular kind of security problems (web and privacy). - have someone who actively tries to detect old and new security problems into their web services. Most of the vulnerabilities I can find on many webmails are either old ones (months or years), small variations from old ones, or new ones - but always very simple and easy to find out. Every company now have a website. They all want to put dynamic content on it, provide web services, attract consumers with a member registration and non-free services, etc. Dealing with web security and privacy, and the feedback about it from users, is a necessary pain; they will all have to define clear policies and contact adresses, think about how to handle security bugs reports, how to react... Only Microsoft seems to have begun this necessary thinking. THANKS TO: Bipeurs and Bugsan who made an investigation for the newspaper "Hackerz Voice" (http://www.dmpfrance.com) and found holes in 17 different webmails. FozZy Hackademy - Paris. Hackerz Voice International Edition: http://www.hackerzvoice.com/inted.html
