Small problems of a big company
I draw your attention to the fact that the first problem reports described in this article were transmitted directly to the two deputy technical directors of the company Mail.ru on August 16, 2010. Due to the apparent lack of interest from management (I didn’t wait for the promised call from the manager “next week”), four weeks after the official notification, I publish full information about all the vulnerabilities that I found on the Mail.Ru.
The first vulnerability, in general, and not vulnerability, as well, a prank. In spy movies, letters are often self-destructed after reading. You open the letter, follow the link and the letter creeps into the basket itself. Very convenient, is not it? Spam destroys itself after reading.
Imagine that you are a spammer, and you need to send about a million messages around the world. Usually spammers use botnets, but it turns out that there is another, simpler way to conduct mailings. We compose a letter and send it to N mail.ru users. Spam forwarding to Google and Yandex addresses will be taken over by the service.
Careless user follows the link to the advertised site (via redirect). After opening the page with the redirection to the advertising site, the letter is automatically redirected from its mailing address to 15 and other addresses (theoretically possible and more). Address lists can be substituted for each of their own, for example, from a common database. The most annoying thing is that the user does not even notice this, since the “Redirection” function, due to which all this works, does not save copies of the sent letters.
')
I don’t know if anyone uses this service, however, I think it’s unlikely that anyone will like it if all his entries in the diary, all the events of the past, present and future, all the tasks solved and unsolved in one “wonderful” moment disappear, and without the possibility of recovery. However, just such a button was made by the developers of the service. The button is hidden in the “Settings” section and is modestly called “clear diary”.
I do not argue, the button is really necessary and useful, but it turned out that anyone who can lure you to your site can take advantage of such a convenient deletion of your data. It is enough to place a small script on the site, and if you had the imprudence to be logged on to the service at this unfortunate moment, your diary will begin your life with a clean white sheet.
All is well in the Money.Mail.Ru service, before each operation to replenish, transfer or pay with Mail.Ru money, you will be persistently asked for the payment password. This is good news. However, I think you will be very upset if all of a sudden access to your money will be limited, moreover, forever (quoted from money.mail.ru):
You will not be able to log in if the IP address changes and is not provided by the list of allowed IP addresses.
The system administration will not be able to remove or change the restriction on the IP-address under any circumstances.
The attentive reader will sarcastically say: “I am guilty myself,” and he will be right, though only partially. After all, the ability to add IP addresses is not only a user of the Money.Mail.Ru service, but also his ill-wishers. Why IP blocking is not password protected I don’t know. The fact remains that adding a new IP to the list is easy, just force the user to go to the desired site. If you add the current IP of the user with a dynamic address, then the problem can even immediately be overlooked.
Sometimes I get the idea that I am paranoid. I use Firefox with the NoScript plugin, clear all cookies automatically after closing the browser window, use Roboform with a unique password generator for all sites, use antivirus, open only certain ports for specific IP addresses. But after I look at another masterpiece of thought and code, it begins to seem to me that this is not enough. It seems that I am not yet ready to entrust money to the Money.Mail.Ru service, and you?
Service Mail.Mail.Ru
Automatic letter deletion
The first vulnerability, in general, and not vulnerability, as well, a prank. In spy movies, letters are often self-destructed after reading. You open the letter, follow the link and the letter creeps into the basket itself. Very convenient, is not it? Spam destroys itself after reading.
Automatic mailing of advertising letters
Imagine that you are a spammer, and you need to send about a million messages around the world. Usually spammers use botnets, but it turns out that there is another, simpler way to conduct mailings. We compose a letter and send it to N mail.ru users. Spam forwarding to Google and Yandex addresses will be taken over by the service.
How it works:
Careless user follows the link to the advertised site (via redirect). After opening the page with the redirection to the advertising site, the letter is automatically redirected from its mailing address to 15 and other addresses (theoretically possible and more). Address lists can be substituted for each of their own, for example, from a common database. The most annoying thing is that the user does not even notice this, since the “Redirection” function, due to which all this works, does not save copies of the sent letters.
')
Service Daily.Mail.Ru
I don’t know if anyone uses this service, however, I think it’s unlikely that anyone will like it if all his entries in the diary, all the events of the past, present and future, all the tasks solved and unsolved in one “wonderful” moment disappear, and without the possibility of recovery. However, just such a button was made by the developers of the service. The button is hidden in the “Settings” section and is modestly called “clear diary”.
I do not argue, the button is really necessary and useful, but it turned out that anyone who can lure you to your site can take advantage of such a convenient deletion of your data. It is enough to place a small script on the site, and if you had the imprudence to be logged on to the service at this unfortunate moment, your diary will begin your life with a clean white sheet.
Service Money.Mail.Ru
All is well in the Money.Mail.Ru service, before each operation to replenish, transfer or pay with Mail.Ru money, you will be persistently asked for the payment password. This is good news. However, I think you will be very upset if all of a sudden access to your money will be limited, moreover, forever (quoted from money.mail.ru):
You will not be able to log in if the IP address changes and is not provided by the list of allowed IP addresses.
The system administration will not be able to remove or change the restriction on the IP-address under any circumstances.
The attentive reader will sarcastically say: “I am guilty myself,” and he will be right, though only partially. After all, the ability to add IP addresses is not only a user of the Money.Mail.Ru service, but also his ill-wishers. Why IP blocking is not password protected I don’t know. The fact remains that adding a new IP to the list is easy, just force the user to go to the desired site. If you add the current IP of the user with a dynamic address, then the problem can even immediately be overlooked.
Conclusion
Sometimes I get the idea that I am paranoid. I use Firefox with the NoScript plugin, clear all cookies automatically after closing the browser window, use Roboform with a unique password generator for all sites, use antivirus, open only certain ports for specific IP addresses. But after I look at another masterpiece of thought and code, it begins to seem to me that this is not enough. It seems that I am not yet ready to entrust money to the Money.Mail.Ru service, and you?
Source: https://habr.com/ru/post/86594/
All Articles