earthlink myaccount and webmail error msg vuln.

[Tyro_Pundit]

Rather easy to find, but really big mess up on earthlinks part...

In the myaccount and webmail login scripts, if you login incorrectly, it will give you the regular error message. Only problem is, the error message is in the addy bar, so I was messing around, inputting different strings and sending the link to friends making it say random things, when I realized that it could be a XSS. so I started messing around with alerts, and cookies and so forth.

https://myaccount.earthlink.net/cam/...script%3Ealert('vulnerable')%3C/script%3E&x=-1727377554

Is an example of something that I found... I messed around some more, and started messing with pop ups. I eventualy got to the point where I had a script to put in the address bar, that would send the cookie to a site that I have, and "log it" (really just POC) and then redirect to a random earthlink.net site. It went so fast that you would not see it log info before it redirected to earthlink site.

Not a big prob right? cookies, no passwords are logged. But I tested it out, and if you void them into your address bar then goto the site, you are logged in. (NOTE: I tested this out using IE and mozilla, and they dont share data, so I'm pretty sure it would work from computer to computer). But you would have to do it fast enough that they didn't log out before you put ur cookies in. So there is a time limit, but oh well.

[The Duck]

After all of those page requests from their server, I hope they dont get suspicous of your actions. They do have all those logged. But on a lighter note, nice job for finding it, given that it works. I'm not going to test it out lol.

[Tyro_Pundit]

Heh, I've told them about the problem. And I saw someone else on a board I was lookin at found the problem also. We both told them about the problem. I myself worked on it almost all day getting everything worked out right, giving them a POC on it. Its still not gixed after about 2 weeks of notice, so I figured I would let the rest of thw world know about it.

Kinda sad how bad some of the coding on these big companies are...

[The Duck]

Well, if that's the case, then good for you! I can't tell how how sick and tired I am of these companies doing absolutly nothing about anything. Whether its a complaint about a customer or eve their own security. Maybe now they will learn the hard way.