> Yahoo recently opened a free, web-based mail service at
> http://mail.yahoo.com/. I believe they purchased this from Four11 or
> Rocketmail.
>
> It has several security flaws in its POP server access. It has a
> capability to read external mail into your yahoo mail account via POP3.
> This works fine.
I'm not particularily thrilled with Hotmail's setup either. I am sure
this must have been discussed before, but can't recall it so...
>From what I can tell, it authenticates you based on the URL you ask
for (some user information is embedded in it; not the password though)
and the IP address you are coming from. I'm assuming there is some
timeout on the IP address; hmm... looking further, perhaps not. It may
just keep the last used one.
That means that if you send hotmail users a message, get them to
follow on a link to your webserver, log their referer header then
gain access to the IP they were coming from (say they come from a
proxy that you can get access to use somehow, eg. AOL where you
can use an AOL account or some proxy that doesn't properly restrict
access) then you can read all their mail and send messages from
them with the headers and hotmail logs showing they sent them.
What I can not understand is why Hotmail is using this method of
authentication. I certainly agree that all other methods (with
the possible exception of client certificates--but that is often
not practical) available right now aren't very good, but that doesn't
mean you should pick the worst.
I sent myself a mail with an ad for free sex. Since everyone knows that
such things are always true, I clicked on the link.
I then looked at my webserver: (manually wrapped)
users.worldgate.com|alive.worldgate.com|GET /~marcs/freesex/ HTTP/1.0|\
text/html|404|1997/10/13-10:45:19|-|168|-|-|\
http://207.82.250.251/cgi-bin/getmsg?disk=207.82.250.162_d230&login=slemko\
&f=33793&curmbox=ACTIVE&msg=MSG876760995.5&start=143&len=695|\
Mozilla/3.01Gold (X11; I; FreeBSD 2.1.5-RELEASE i386)
Then all I have to do is access the proxy on the host I came from
(too bad you need a password), and poof I can access my mailbox
from anywhere with no information other than that contained in the
above log entry. The risk isn't tremendous, but it is there.
They do have an option of some sort that uses cookies, but I'm not sure if
it helps anything security wise because they just tout it as something to
work around things like proxies with multiple IPs.