gotmail-list
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [gotmail] Re: Gotmail cracked?!?!

From: John Fruetel
Subject: RE: [gotmail] Re: Gotmail cracked?!?!
Date: Mon, 5 Apr 2004 14:10:06 -0700 
I'm the current maintainer and Paul is right, it's the posting to the
published lists that's the problem.  Unfortunately, I'm not sure how or even
IF I can go delete those log files from the mail archives.  Paul C, do you
know if that's even possible?

I'll add the logging of passwords to the buglist at SourceForge.  I have
some new stuff that I want to include for a new release anyway, I don't
think that removing the passwords from the log should be a problem.

It will probably be a month or more before I put out a new release of
gotmail though.

-----Original Message-----
From: address@hidden
[mailto:address@hidden On Behalf Of
paul cannon
Sent: Monday, April 05, 2004 1:21 PM
To: Mimmus
Cc: address@hidden
Subject: [gotmail] Re: Gotmail cracked?!?!

On Mon, Apr 05, 2004 at 04:49:40PM +0200, Mimmus wrote:
> Hi,
> I received this email on my Hotmail account, claiming that my account 
> was cracked because Gotmail is insecure:
>
> ######################################################################
> #####à
> Received: from 62.254.0.30 by by2fd.bay2.hotmail.msn.com with HTTP;
>       Mon, 22 Mar 2004 18:53:57 GMT
> X-Originating-IP: [62.254.0.30]
> X-Originating-Email: address@hidden
> X-Sender: address@hidden
> From: "Domenico Viggiani" <address@hidden>
> To: address@hidden
> Subject: Gotmail insecurity
> Date: Mon, 22 Mar 2004 19:53:57 +0100
> Mime-Version: 1.0
> Content-Type: text/plain; format=flowed
> X-Stn-Info:
> 
> Hi, I believe you use a program called Gotmail.  I would just like to 
> inform you that it is insecure.  Using Google I was able to find 
> you're information, and consequently log in to you're account, which 
> is where I have written this from.  Your account details are on the 
> net for all to see, if you don't believe me just follow this link:
> 
> http://savannah.nongnu.org/bugs/download.php?item............. <-- 
> deleted by me
> 
> You're username and password are at the bottom of the fifth big paragraph.
> You're lucky I'm a nice hacker, and that I do this kind of thing to 
> warn people.  If I were wanting to do some damage I could easily do 
> so, also you have a lot of usernames and passwords in you're inbox, so 
> I could do some damage there too if I so wished.  Ok, now I've 
> finished warning you it's up to you what you do, now it's time for me to
hack into other things.
> 
> Bye.
> 
> Hope you find this helpful.
> ######################################################################
> ######
> ##

> It seems that it is true, I changed some passwords but this is really 
> a bad new.
> Any idea about what happened?

No, Gotmail is not insecure. You posted a debug log that contained your
password to a public mailing list; that is the breach. I don't maintain
Gotmail anymore, but I'll forward this on to the appropriate list; the
maintainers probably should ensure that passwords are no longer being
included in cURL calls, so they won't end up in logs. Some work was done on
that exact issue a long time ago, but it may have crept back in with changes
since then.

Most importantly, the maintainers should emphasize that no one should send a
log file like that to a public place without knowing what's in it. The
instructions to star out or change passwords that appear in logs should be
more visible.

Again, Gotmail was not cracked, and it is not insecure. It may be a little
loose with what it puts in debug logs, and that should probably be fixed,
but you as a user have a responsibility not to blindly send out logs
generated by _any_ program on your system; _anything_ could be in there.

Since you changed your password, this will not be a problem for you anymore
unless you send your password to a public list again.

--
paul

P.S. Someone emailed us some time ago about this issue, using similar
language; it probably is the same person. I told them pretty much what I
just told you. I personally feel they went too far in breaking in to your
account, when it would have sufficed to inform you of the need to change
your password. I can give you the contact info I have for this person if you
wish to pursue it.


_______________________________________________
Gotmail-list mailing list
address@hidden
http://mail.nongnu.org/mailman/listinfo/gotmail-list
reply via email to
[Prev in Thread] Current Thread [Next in Thread]