Re: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users...

[Joshua Levitsky]

With KillerWebmail the login screen appears in the preview pane. User would have to be a dork to actually enter user/password. Does it actually refresh the whole browser window using IMail's templates?     ----- Original Message ----- From: Norman J. Nolasco To: [EMAIL PROTECTED] Sent: Friday, March 15, 2002 7:19 PM Subject: [IMail Forum] Old Hack on Hotmail seems to work on iMail web users... Forum,   I don't know if this has ever been addressed, but my initial tests on my own iMail server seem to let me use this hack.  I have a test page set up on:   http://209.16.59.28/test.asp   Just type in an email address to one of your test accounts with a subject line and send  the message.   Basically, if you sent an HTML/MIME formatted email to an account with simple javascript, the web-based viewer will run the javascript.  In this case, I've included a redirect to another server that happens to have a login screen.   The idea is, since the web session times out occassionally, you condition your users to expect to re-enter their username and password from time to time.  So, if you use an email to redirect their browser to a login screen, you get a bunch of usernames and passwords.   For those that have customized their login screens to be different than the default iMail login, I suppose one could use a referrer type argument on the email, then use ASPHTTP to grab the login screen from the original server, etc, etc, ad infinitum... but I'm lazy.   If you want the code for the login screen, goto http://209.16.59.28/login.html and download the page.  It's trivial to write an ASP page to send the email, but I'm not going to include it here.  I've landed myself in court on that sort of thing before.   I'm guessing there are a few ways to prevent this.  I'm just wondering if this has been addressed or if this is even viewed as a minor issue. 1) Don't use web interface at all. 2) Filter each email for script and kill it.  As anyone with javascript experience knows, this would be extremely difficult as you can imbed javascript in html objects, events, etc... 3) Disable all incoming HTML email except from "trusted" sources.   The folks at Microsoft figured out how to get around this with Hotmail and I think they chose option #2.  I apologize if I just opened up everyone's iMail accounts to this hack via this post, but it's better than not knowing if/how account passwords are getting stolen.   Norman J. Nolasco Advarion Incorporated