Amateurish robbery-3 or the same eggs, only in profile
Good evening Habr!
I have something to tell again. Probably, you remember my previous topics ( 1 , 2 ) on the topic of storing / transmitting passwords in clear text? The gaps I found were hurriedly patched, but no one has made the right conclusions (from the technical staff of the companies). Therefore, you are reading this topic.
As I promised, I decided to check out some more popular mail server with the mail collector service. The choice fell mail.qip.ru. Why? Yes, because it is old enough and known to many Pochta.ru, but under a different sign.
')
1. Hmm. The pop-up window on AJAX will scare off almost any amateur. But not me =)
2. Almost without hope I look at the source code and suddenly I find there a blank for the inflowing window on the layers, carefully marked by the authors of the code. Me type of password field, and Opera's magic browser helps to apply the result to a directly active page
3. Voila, everything is in full view.
4. I remember about Yandex. Mail and its new NEO interface.
5. The code of the page is not so readable, but the principle of its work is similar. I find the workpiece, change the field type, apply ...
6. “Fiasco, fiasco!” Shouted a drunken parrot.
What did comrade say there? kukutz :
Does the NEO interface use the remaining 99%?
UPD Yandex problem fixed .
I have something to tell again. Probably, you remember my previous topics ( 1 , 2 ) on the topic of storing / transmitting passwords in clear text? The gaps I found were hurriedly patched, but no one has made the right conclusions (from the technical staff of the companies). Therefore, you are reading this topic.
As I promised, I decided to check out some more popular mail server with the mail collector service. The choice fell mail.qip.ru. Why? Yes, because it is old enough and known to many Pochta.ru, but under a different sign.
')
1. Hmm. The pop-up window on AJAX will scare off almost any amateur. But not me =)
2. Almost without hope I look at the source code and suddenly I find there a blank for the inflowing window on the layers, carefully marked by the authors of the code. Me type of password field, and Opera's magic browser helps to apply the result to a directly active page
3. Voila, everything is in full view.
4. I remember about Yandex. Mail and its new NEO interface.
5. The code of the page is not so readable, but the principle of its work is similar. I find the workpiece, change the field type, apply ...
6. “Fiasco, fiasco!” Shouted a drunken parrot.
What did comrade say there? kukutz :
How? The classic interface is used by less than a percentage of Yandex.Mail users. To exploit a vulnerability, you need to simultaneously:
Does the NEO interface use the remaining 99%?
UPD Yandex problem fixed .
Source: https://habr.com/ru/post/82880/
All Articles