Uneasy trend - Static Webmail Session IDs
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Uneasy trend - Static Webmail Session IDs

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    Uneasy trend - Static Webmail Session IDs

    Lately I have taken special note of the increase in webmail use at my facility. This is the normal response when restrictions are placed in our acceptable use policy for internal e-mail use.

    The Issue:
    =============================
    Static webmail session IDs

    Example:
    =============================
    http://ms04.mrf.mail.rcn.net/wm/mail...ail&mbox=INBOX

    NOTE!!! I changed the SessionID so don't bother trying to get into this account.

    The Guilty
    =============================
    Well you can easily see that RCN is at fault here but they are not alone. *MANY* ISPs are using this lazy approach. My advice to you is to copy the URL to your webmail session to a text file then take it to another PC and see if you can access your inbox. I have a list of 37 ISPs who currently employ this horribleness. I have informed each and every one along with the user. So far, only 3 have made changes.

    In the past, I used to be able to release info on problem ISPs but DHS has spoken and I no longer can without a ton of red tape traversal. Just do yourself a favor and be sure that your ISP doesn't set static sessionIDs on your webmail sessions. Think about what I can do if I can gain access to your account this way. Muhwahahahaa.

    Seriously though. I can't say it enough. Check into it.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    I've seen more than just webmail implement this. Certain forum software was vulnerable this way as well. In most cases I've seen the developers opted to rely on their own method of generating SIDs, which was often non-random due to how the SIDs were generated.

    All I can say is if you are implementing webmail (far easier than it sounds), go with Horde. The Imp and Turba packages are all you need for just standard webmail.

    Edit: Yeah, misread the original message.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  3. #3
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,024
    I'm actually surprised you rely on an ISP to run webmail for ya horse, I was under the impression you worked at a large organization.
    I think he means people logging on to their home ISP's email accounts from work.
    Horsey is our government guy. That is a very large organization.
    [H]ard|OCP <--Best hardware/gaming news out there--|
    pwned.nl <--Gamers will love this one --|
    Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Yep, these are personal accounts being accessed. You should know me better than that.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member
    Join Date
    Feb 2004
    Location
    Near Manchester (England)
    Posts
    145

    Read this with interest...

    Call me thick, (no... no... I didn't mean it!), but I'm not entirely sure what the thehorse13 means by "Static webmail session Id's"

    I guessed, after looking at my webmail URL when logged in, thehorse13 was typeing about the use of variables in the URL. Mine has these if they are preceeded by a %.

    If I'm wrong would someone tell me I'm thick and then enlighten me?

    Thanks.
    Tomorrow is another day for yesterdays work!

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    You're thick. :P

    A Session ID is just a unique identifier for a particular "visit" (Session) to a piece of web software. Having static session IDs is bad because it means someone can copy your URL and always get to your mailbox from wherever they like in many cases, though not all. The entire system is a kludge way of turning web software into desktop software, and there are a number of issues to take into consideration when designing web-based software . HTTP was not meant to be a persistent connection client-server protocol, and a lot of issues arise from it.

    Now, these session IDs can be stored in a number of places, among which is the URL. Commonly they are put in URLs, "Session cookies" (a special type of cookie/header that expires when the session is terminated), or in real Cookies. Some bad implementations also rely on POSTed variables (&lt;input type="hidden"&gt.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  7. #7
    Senior Member
    Join Date
    Feb 2004
    Location
    Near Manchester (England)
    Posts
    145

    Question I thought I was!

    Thanks for that chsh. That makes sense to me. So I can't be completely thick! lol

    One further question then, if I may? How can I tell that the URL that thehorse13 placed in his posting uses a static webmail session id?

    More importantly how do I know if my URL, when logged into my webmail, uses a static session id?

    You've scared me now. Not that I use webmail a lot, only occasionally, but I'm wondering how secure it is!
    Tomorrow is another day for yesterdays work!

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Take a closer look. There is a sessionID=(lots of letters and numbers) statement in there.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Senior Member
    Join Date
    Feb 2004
    Location
    Near Manchester (England)
    Posts
    145

    Thumbs up Duoh! I am Thick!!

    Thanks for that thehorse13. Needed to look at the full string as displayed at the bottom of IE (I know, I know IE, but I'm at work and have no choice! LOL).

    Boy do I feel like an idiot now! How obvious was that!?!

    Time to go home me thinks!

    [EDIT]
    Just been to my webmail logged in, captured the URL in the address bar, logged out, then pasted the URL back into the address bar. It gave me an error, saying I had logged out, etc, etc.

    So feel a little relieved now!
    [/EDIT]
    Tomorrow is another day for yesterdays work!

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    It's kinda fun catching these when people try to get to their webmail from work.... If they are static you can then send them an email from their own account pointing out the danger.....

    They seem to stop trying to use their webmail from work really quickly ....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •