<nettime> NSI's free webmail security hole exposed!

mediafilter on Mon, 27 Sep 1999 03:37:03 +0200 (CEST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> NSI's free webmail security hole exposed!

To: nettime-l@bbs.thing.net
Subject: <nettime> NSI's free webmail security hole exposed!
From: mediafilter <mf@mediafilter.org>
Date: Wed, 22 Sep 1999 14:38:23 -0400
Sender: owner-nettime-l@bbs.thing.net

After SPAMMING every registered domain name holder
offering free web-based email, the review of Netork Solution's
"dot-com" mail are in:


>From 2600
http://www.2600.com/2600new/092099.html

NEW INTERNIC EMAIL SECURITY HOLE

 9/20/99

 We have been alerted to a serious vulnerability on a free
 web-based e-mail service that has recently been launched by
 Network Solutions Inc., otherwise known as the Internic - the people
 responsible for registering nearly all .com, .net, and .org addresses.

 Anyone taking them up on their offer for "free web mail" on their
 www.networksolutions.com/ page is both vulnerable and capable of
 accessing ANY ACCOUNT on the following domains:
        dotexpress.com
        mymailbag.com
        nsimail.com
        dotcomnow.com

 Once you have registered an account on their system, you can
 change the name of your account to ANY OTHER ACCOUNT simply by
 entering this URL:

 http://mail.dotcomnow.com/signup/poll/newaccount?dlang=default

 NO PASSWORD IS REQUIRED.

 Simply replace newaccount with the name of the account you would
 like to access and you're in!

 While it's a trivial matter to guess user names, if you want a small
 list from the Internic's own database, simply type:

                       whois '*@dotexpress.com'

 or any of the other domains they are currently running.

 According to the people who have alerted us of this vulnerability,
 NSI was informed of the security hole last week and failed to
 respond. We believe this may help motivate them.


Have a look at some of the mail that is world readable on NSI's
 system. These people thought they were sending mail to the
 webmaster of the site. What's particularly ironic is the large number
 of people who were complaining about the easily guessable
 passwords that were mailed out - they never suspected that it was
 even easier to compromise their accounts without having to even
 guess the password!
http://www.2600.com/2600new/092099-mail.html


#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime@bbs.thing.net

Prev by Date: <nettime> announcer 99.39 [a]
Next by Date: <nettime> fwd: Le Monde diplomatique, September 1999
Prev by thread: <nettime> announcer 99.39 [a]
Next by thread: <nettime> fwd: Le Monde diplomatique, September 1999
Index(es):
- Date
- Thread