Rather easy to find, but really big mess up on earthlinks part...

In the myaccount and webmail login scripts, if you login incorrectly, it will give you the regular error message. Only problem is, the error message is in the addy bar, so I was messing around, inputting different strings and sending the link to friends making it say random things, when I realized that it could be a XSS. so I started messing around with alerts, and cookies and so forth.

https://myaccount.earthlink.net/cam/...script%3Ealert('vulnerable')%3C/script%3E&x=-1727377554

Is an example of something that I found... I messed around some more, and started messing with pop ups. I eventualy got to the point where I had a script to put in the address bar, that would send the cookie to a site that I have, and "log it" (really just POC) and then redirect to a random earthlink.net site. It went so fast that you would not see it log info before it redirected to earthlink site.

Not a big prob right? cookies, no passwords are logged. But I tested it out, and if you void them into your address bar then goto the site, you are logged in. (NOTE: I tested this out using IE and mozilla, and they dont share data, so I'm pretty sure it would work from computer to computer). But you would have to do it fast enough that they didn't log out before you put ur cookies in. So there is a time limit, but oh well.