[gotmail] Re: Gotmail cracked?!?!

[paul cannon]

On Mon, Apr 05, 2004 at 04:49:40PM +0200, Mimmus wrote:
> Hi,
> I received this email on my Hotmail account, claiming that my account was
> cracked because Gotmail is insecure:
>
> ###########################################################################à
> Received: from 62.254.0.30 by by2fd.bay2.hotmail.msn.com with HTTP;
>       Mon, 22 Mar 2004 18:53:57 GMT
> X-Originating-IP: [62.254.0.30]
> X-Originating-Email: address@hidden
> X-Sender: address@hidden
> From: "Domenico Viggiani" <address@hidden>
> To: address@hidden
> Subject: Gotmail insecurity
> Date: Mon, 22 Mar 2004 19:53:57 +0100
> Mime-Version: 1.0
> Content-Type: text/plain; format=flowed
> X-Stn-Info:
> 
> Hi, I believe you use a program called Gotmail.  I would just like to inform
> you that it is insecure.  Using Google I was able to find you're
> information, and consequently log in to you're account, which is where I
> have written this from.  Your account details are on the net for all to see,
> if you don't believe me just follow this link:
> 
> http://savannah.nongnu.org/bugs/download.php?item............. <-- deleted
> by me
> 
> You're username and password are at the bottom of the fifth big paragraph.
> You're lucky I'm a nice hacker, and that I do this kind of thing to warn
> people.  If I were wanting to do some damage I could easily do so, also you
> have a lot of usernames and passwords in you're inbox, so I could do some
> damage there too if I so wished.  Ok, now I've finished warning you it's up
> to you what you do, now it's time for me to hack into other things.
> 
> Bye.
> 
> Hope you find this helpful.
> ############################################################################
> ##

> It seems that it is true, I changed some passwords but this is really a bad
> new.
> Any idea about what happened?

No, Gotmail is not insecure. You posted a debug log that contained your
password to a public mailing list; that is the breach. I don't maintain
Gotmail anymore, but I'll forward this on to the appropriate list; the
maintainers probably should ensure that passwords are no longer being
included in cURL calls, so they won't end up in logs. Some work was done
on that exact issue a long time ago, but it may have crept back in with
changes since then.

Most importantly, the maintainers should emphasize that no one should
send a log file like that to a public place without knowing what's in
it. The instructions to star out or change passwords that appear in logs
should be more visible.

Again, Gotmail was not cracked, and it is not insecure. It may be a
little loose with what it puts in debug logs, and that should probably
be fixed, but you as a user have a responsibility not to blindly send
out logs generated by _any_ program on your system; _anything_ could be
in there.

Since you changed your password, this will not be a problem for you
anymore unless you send your password to a public list again.

-- 
paul

P.S. Someone emailed us some time ago about this issue, using similar
language; it probably is the same person. I told them pretty much what I
just told you. I personally feel they went too far in breaking in to
your account, when it would have sufficed to inform you of the need to
change your password. I can give you the contact info I have for this
person if you wish to pursue it.