Webmail Flaw Leads to Compromise of 40 Million Accounts

Matteo Carli and Rosario Valotta, security researchers have found in independent researches that all webmail programs that rely on the Memova structure are being affected with a bug that makes a critical impact over the security. The Memova framework is the creation of Critical Path, a vendor for messaging services and software.

The bug, which is one more bequest of the majestic strength of Cross-Site Scripting (XSS) flaws, together with another flaw, let hackers to stealthily transmit a few million end-users' e-mail via Europe's largest ISPs.

The researchers stated that the web-based bug residing within widely used e-mail program severely compromised 40 Million accounts, including Telecom, Vodafone and Wind along with others, till at last it was mended in initial days of February 2009.

The researchers also indicated in a security advisory that all that an attacker needs to do is to e-mail a specially constructed message to his target victim. Subsequently, when the victim views the e-mail, without any additional interaction, the forwarding arrangements of his account on the webmail are quietly changed. This tampering thus allows all inbound e-mails of the victim to get automatically forwarded to the attacker's mailbox. Therefore, the hacker can gain access to the e-mails of numerous consumers by merely checking his account on the webmail.

In the meantime, although representatives of Critical Path didn't respond with comments to people's requests for the same, one of the company's experts told The Register that Critical Path released a patch for the flaw lately they were made aware of the problem.

Conversely, it is worth noting that when the researchers inspected three sites, they found that two of them had protection features to lessen the abuse of Cross-Site Scripting flaws. Explicitly, the service providers assigned one domain name for the webmail and another for the iframes that facilitate the visibility of e-mail's content. Despite that, the researchers discovered a technique by which they could dodge the protection with the help of a methodology called 'reflected XSS.'

Meanwhile, according to WhiteHat Security, the flaw has been patched while no reports have come in about it being exploited.

» SPAMfighter News - 4/3/2009