Black Watch Lab - Vulnerabilities Black Watch Labs ID: BWL-00-02 Weak Token in Mail.Com Application Allows Compromise of Arbitrary User's Data Black Watch Labs Security Advisory #00-02 (March 3, 2000) Name: Weak Token in Mail.Com Application Allows Compromise of Arbitrary User's Data Black Watch Labs ID: BWL-00-02 Date Released: March 3, 2000 Category: Application (HTML) - Weak Session Token Products affected: Free Web mail services powered by mail.com (two underlying free Web mail applications were identified, and this vulnerability pertains to only one of them. Services that use the other application are not vulnerable as far as we know. The free Web mail offered directly by mail.com is not vulnerable) Number of affected sites/pages/users: We currently know of two major sites that use this application. It is estimated that the total number of subscribers to these services is in the order of magnitude of hundreds of thousands. Summary: The mail application employs a weak security scheme. It assigns session-IDs ("tokens") for logged-in users which allow reading of arbitrary users' messages and private information, if enough effort is invested. Analysis: The mail service, upon successful login, assigns an encoded session-ID for the user, in the following manner: 1. The mailbox's number (a decimal number consisting of around 8 digits) is concatenated with a colon symbol, and the current time (in seconds since 01/01/1970, based on the server's clock, 9-10 decimal digits) is appended to it, reading nnnnnnnn:ttttttttt (where nnnnnnnn is the number of the mailbox, and ttttttttt is the time). This string will be referred to as the clear session-ID. 2. A base letter is randomly generated, probably in the range A-J. 3. The encoded session-ID consists of the base letter, concatenated with pairs of capital letters, each pair conforming to a character in the clear session-ID, where this character's ASCII code is represented in two decimal digits, and these digits are taken as an offset relative to the base letter. For example, if the base letter is A, then a character "1", whose ASCII code is 49 is represented as EJ, and if the base letter is G and the character to encode is ":", whose ASCII code is 58, then the encoded representation is LO. This encoded session-ID identifies the session, and is given back to the user via a cookie (if the user is willing to accept such one), or as part of the URL. In both cases, the name of the parameter (or the cookie) is "iNAME", e.g. iNAME=BFKFGGGGHGBGIGHGFGJGIGDGFGIGCGDGFGDGI. In many cases we encountered a situation wherein both the cookie and the URL trailer were sent to the user. Apparently, the session is identified by the encoded session-ID, and by it alone. Empirically, the session is not accessible if one changes the timestamp, the mailbox number, or even the base-letter (of course, re-adjusting the rest of the string). The session is alive as long as the user has not logged-out, and the account is not idle for longer than 6 hours. Therefore, if an attacker gains the encoded-session-ID while the session is still alive, he/she can access all the information residing in the user account, such as personal information and messages. The encoded session-ID can be reconstructed statistically (that is, an attacker can generate several candidates, one of which will be correct) relatively easily. First, the attacker needs to guess (or know beforehand) a mailbox number. Then, the attacker should estimate when the owner of the mailbox accesses the mailbox (a fair estimate would be once a day). Next, the attacker needs to know the approximate time on the mail server (easily done if the attacker opens a valid account there, and decodes the session-ID which contains the server time). Now, in order to gain access to the mailbox, the attacker needs to write a script that generates for each second of the day, all possible 10 encoded session-IDs (one per each possible base-letter), and send these to the server (either as a cookie or embedded into a request URL). If indeed the owner of the mailbox logged-in during the day, then the script will discover it, and as a final step in the script, it should get all the mailbox info. In a side note it should be stated that the application does not sanitize HTML and JavaScript when a user of the application views the body of a mail message sent to him/her. As a result, most of the standard exploits (e.g. embedding links and Javascripts in various tags) work well and can be used as standalone attacks or in conjunction with the above vulnerability (e.g. to establish the initial link between email address and mailbox number) Exploits: Identifying the vulnerable application can be done by checking whether the suspected application is willing to serve clients that disallow cookies (only the vulnerable application does that), and that once the user logged-in, the URLs have the "iNAME=..." trailer. If such is the case, the attack method described above is applicable. Naturally we do not provide an automated script that implements the attack. Vendor Status: Vendors using the mail.com product have been notified as has mail.com. Vendor Patch or workaround: Not available at the time of this release. About Black Watch Labs (www.perfectotech.com/blackwatchlabs/) Black Watch Labs is a research group operated by Perfecto Technologies Inc., the leader in Web Application Security Management. Black Watch Labs was established in order to further the knowledge of the Internet community in the arena of Web application security management. Black Watch Labs publishes security advisories regularly, which are maintained at http://www.perfectotech.com/blackwatchlabs/, and are also posted to relevant security lists and Web sites. Black Watch Labs also operates a Web application security mailing list, which can be subscribed to at http://www.perfectotech.com/blackwatchlabs/. For more info about Black Watch Labs and Web Application Security Management, please call (408) 855-9500 or email BlackWatchLabs@perfectotech.com. About Perfecto Technologies (http://www.perfectotech.com/) Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto Technologies pioneered the market for Web Application Security Management software. AppShield, Perfecto Technologies' flagship product offering, is the first to provide extreme security for customer-facing applications in dynamic Web site environments. Perfecto Technologies has customers in many sectors including, banking, retailing, finance, government and healthcare. Privately held, Perfecto Technologies is funded by blue-chip venture capital firms and industry leaders, including Sequoia Capital, Walden and Intel Corporation. More information about Perfecto Technologies may be obtained by visiting the Company's Web site at http://www.perfectotech.com/ or by calling the Company directly at (408) 855-9500. Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved. Permission is hereby granted to reproduce and distribute the application security alerts herein in their entirety, provided the information, this notice and all other Perfecto Technologies marks remain intact. Specific Limitations on Use of the Black Watch Labs Advisories THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON THE INTERNET, INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS ADVISORY IS SOLELY FOR THE PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE, INCLUDING TO VIOLATE THE SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY IMPROPER PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND OTHER COUNTRIES. NO WARRANTY Any material furnished by Perfecto Technologies is furnished on an "as is" basis and may change without notice. Perfecto Technologies makes no warranties of any kind, either expressed or implied as to any matter including but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Neither does Perfecto Technologies make any warranty of any kind with respect to freedom from patent, trademark or copyright infringement. In no event shall Perfecto Technologies be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.