Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
User Journal

Journal fishdan's Journal: Huge web email hole

So the other day my friend's band was looking through the logs from their newsletters, and lo and behold they saw that one referring URL was from iwon. On a lark, they plugged the URL into the browser, and BOOM they suddenly had full access to the sender's email account.

Being responsible lads, they tried to email Iwon to tell them about the security hole, but there messages were ignored. A little investigation revealed that using the refering url in the log file : http://e9.email.iwon.com/msg_read.php?m=0&s=1&d=1&mid=3&ArdSI=3f9119e75050df664bc9226ae7df52a1&ArdSI=3f9119e75050df664bc9226ae7df52a1 would give you complete access to Saddam Hussein's email account. the link is no longer valid, the session has expired

How you can verify this:

1. create an email account. You have to both sign up for Iwon, and then once that is done create an email account. Confusing, but /.ers will figure it out

2. Create a web site, and log everything, especially refering URLS.

3. Send an email with an href link to your web site to the iwon account (takes 45 mins after creating email account before it can receive email so don't go too fast).

4. Click on the link in the email account.

5. Check your logs for refering URL

6. Put that URL into your browser.

7. Use the links on the left to navigate around

Voila -- full access.

A little more investigation reveals that the URL actually seems to contain a session id. After a little while of inactivity (2 hours?) You get a session expired page. Can they really be storing the session id in the URL? Is anyone really that sloppy? How can such huge dumbasses be employed in this market? Iwon clearly contracts their email out to some other site, hence the seperate login, etc. It might be interesting to see if that company is provide email service to any other site, and if the vulnerability is still there. Props to ccano for verifying some of this.

This discussion has been archived. No new comments can be posted.

Huge web email hole

Comments Filter:

You mean you didn't *know* she was off making lots of little phone companies?
