Recently it became known that a certain network security specialist, Ilya A., discovered several critical vulnerabilities in Mail.ru services. “Bezopasnik” wrote about his findings to technical support, but, as usual, he received neither a reply nor a greeting. Instead of starting to use the found holes for personal gain or simply forgetting about all this, Ilya A. simply published both descriptions of vulnerabilities and laid out working scripts that allow these same vulnerabilities to be used. So far, only part of what has been found has been published, but the hacker says that if Mail.ru doesn’t fix anything this time, the second part will be published. It is clear that such vulnerabilities rush to use all and sundry.
It is especially interesting that the hacker provided Mail.ru with information about “holes” a month ago. Information was received, what he was informed about, and that’s all, no action or feedback. A month later, the expert published everything found in his blog.
The found vulnerabilities are very interesting - for example, one of them allows you to delete user letters after reading each. Another vulnerability allows spamming via the same Mail.ru. The third vulnerability provides the ability to destroy all the records of a particular user in the service "Weekly". Another vulnerability opens up the ability to block an account of almost any user on the service of the host to block someone else’s account in the Money.Mail.ru service. As you can see, the “holes” are quite large, so it remains to be surprised why the service did not pay attention to the information provided by the expert.
Several experts on network security, checking the performance of scripts, confirmed the urgency of the problem. The hacker himself claims that he published all this only with good intentions, so that Mail.ru still paid attention to the problems, and rather large, own services.
According to this specialist as well as other experts, the situation with ignoring problems is typical not only for Mail.ru, but also for other IT companies, both large and small, both domestic and foreign.
As for Mail.ru, Ilya A. believes that this company does not test its products at all before launching, or, if it does, it doesn’t do it very carefully, “for show”. As a result, similar incidents happen.
Well, let's wait for the development of the situation - so far Mail.ru continues to remain silent.