Bigpond Webmail Media.

Bigpond Webmail Media.

Recently, Bigpond has become somewhat of a laughing stock in the tech world. What was once an excellent webmail service with all the features you could want, is now full of security holes.

Here are some of them listed below:

– It is possible to access any user’s email account on their system by viewing the source while logged in to webmail and changing the ‘userid’ value.

– It is possible to completely delete any user’s email account on their system by viewing the source while logged in to webmail and changing the ‘delete account value.

Must Read: Bigpond Webmail

– It is possible to retrieve a user’s password using nothing but javascript. Simply go into webmail, log in, and change the password. An alert box will pop up notifying you of the current password hash. This can be used to brute force any user’s account on Bigpond.

– It is possible to upload executables via media which are automatically run when arriving in a user’s inbox, allowing complete remote command execution on their machine via malicious media.

– It is possible to view any user’s address book, including of course the email addresses and corresponding passwords of every person listed.

– The authentication system for webmail is by HTTP Basic Authentication. This means that their password (in plaintext) is sent every time you hit ‘back’ on your browser OR do anything at all. This means that if you are on the same network as somebody who is logged into Bigpond webmail, it is possible to sniff their password by using mitmproxy or burp suite, etc.

– It is possible to bypass authentication for viewing attachments, simply append ‘.dl=1’ to any attachment URL and it will be displayed in your browser.

– There is an attachment Format option that will allow the user to change from ‘webpage’ to ‘application’. If set to ‘application’, clicking on the file does nothing. However, it is possible to force a download by using PHP, etc. In addition, any PHP/Perl/py code can be saved as a file and renamed to ‘index.html’ after which it will execute when the user enters their username & password into your phishing page, etc.

– An XSS can be found in the calendar, simply click on any event and an alert box will pop up with the full name, email address, etc of anybody listed in that calendar entry.

– It is possible to send email from any Bigpond account without authentication. Simply append the following GET parameters: ‘[email protected]&displayfrom=yourlogin’ where your login is the username of the outgoing email account you want to use. This allows for remote code execution as anybody receiving that email.

– It is possible to remotely add contacts and view private email, however, I will leave that up to the imagination of the reader.

These vulnerabilities have only been tested in Chrome and Firefox on Windows XP/7/8 so there’s a chance they might not work on other browsers or operating systems although this is unlikely.

Here are some screenshots of this vulnerability:

If you enjoyed this article, follow me on Twitter @kapil_khot.