Robbery in an amateurish way or how Yandex stores passwords

Many (habro) people risk “trash all polymers” using Yandex services to collect correspondence or filter spam from other mailboxes. The question arose particularly acutely, when, recently, the option of tracking several mail accounts appeared in Ya.Online. If the attackers steal / pick up the keys to your account, then they will be in the hands of secondary turnout \ passwords. As the guys from Yandex could have made such a blunder, I won’t attach my mind. By the way, the situation is relevant for several years. The following is an illustration of the vulnerability.

The topic was prepared by jeditobe , published by me, because the author does not have enough karma. This is his first post.

1. Go to Yandex. Mail, then click on the links "settings" and "type of mail."
')
2. Choose the “classic” interface.


3.We click on the links "settings" and "collect mail"

4. We submit to the page with the list of all the boxes monitored by the collector.

5. Select any of the interested entries by clicking on the appropriate link - a pop-up window will open with settings.


6. We look into the source code of the contents of the pop-up window and among the few terms we find some very interesting.

Yandex uses the http: // protocol for these pages, which allows you to intercept logins and passwords in the network traffic.

UPD Moved to blog Information Security
UPD2 Answer employee Yandex