Forum,
I
don't know if this has ever been addressed, but my initial tests on my own iMail
server
seem
to let me use this hack. I have a test page set up on:
Just
type in an email address to one of your test accounts with a subject line
and send
the
message.
Basically, if you sent an HTML/MIME formatted email to
an account with simple javascript,
the
web-based viewer will run the javascript. In this case, I've included a
redirect to another
server
that happens to have a login screen.
The
idea is, since the web session times out occassionally, you condition your users
to
expect
to re-enter their username and password from time to time. So, if you use
an email
to
redirect their browser to a login screen, you get a bunch of
usernames and passwords.
For
those that have customized their login screens to be different than the default
iMail
login,
I suppose one could use a referrer type argument on the email,
then use ASPHTTP
to
grab the login screen from the original server, etc, etc, ad
infinitum... but I'm lazy.
If you
want the code for the login screen, goto http://209.16.59.28/login.html and
download
the
page. It's trivial to write an ASP page to send
the email, but I'm not going to include
it
here. I've landed myself in court on that sort of thing
before.
I'm
guessing there are a few ways to prevent this. I'm just wondering if this
has been
addressed or if this is even viewed as a minor
issue.
1)
Don't use web interface at all.
2)
Filter each email for script and kill it. As anyone with javascript
experience knows, this
would
be extremely difficult as you can imbed javascript in html objects, events,
etc...
3)
Disable all incoming HTML email except from "trusted"
sources.
The
folks at Microsoft figured out how to get around this with Hotmail and I
think they chose
option
#2. I apologize if I just opened up everyone's
iMail accounts to this hack via this
post,
but it's better than not knowing if/how account
passwords are getting stolen.
Norman
J. Nolasco
Advarion
Incorporated
