update 9/24/99:
A full business week has now gone by since we revealed this security hole.
Apart from a story in the Boston Globe and ZDTV, the rest of the media
chose to ignore this completely. Wired even wrote us to say "we do not
believe this represents either a security or a privacy risk." It's hard
to imagine what could be *more* of a security and privacy risk than a
company running insecure software while attempting to get *all*
administrative and technical contacts for *every* .com, .net, and .org site
to use their system as a trusted method of communication.
As of today, most of the problems seem to have been fixed, although we
are still hearing from people who claim to have thousands of accounts
in their browser cache which can still be logged into. Also, as of this
date, no public comment has been issued on the web sites of Network
Solutions, Inc. or Critical Path, Inc., the company that NSI hired to
operate its web mail sites. Spokespersons from Critical Path have been
quoted as saying they take responsibility for this mess but we believe
a more public and lasting statement is in order.
update 9/21/99:
It's been a day since this problem was disclosed to the public, and almost a week since it was brought to NSI's attention. They have still yet to comment on the matter.
The page that allowed people to access arbitrary email accounts has been disabled by NSI. However, if you happen to know the URL for an email box, you can still access it. For instance you can send email as microsoft@dotcomnow.com here. Within 5 minutes of this URL being posted the account was disabled. STAY TUNED!
As of 7:20 PM EDT, a URL to access the support account's email was working. As we were preparing to post a link, it too was disabled. Perhaps somone is paying attention.
We have been alerted to a serious vulnerability on a free web-based
e-mail service that has recently been launched by Network Solutions Inc.,
otherwise known as the Internic - the people responsible for registering
nearly all .com, .net, and .org addresses.
Anyone taking them up on their offer for "free web mail" on their
www.networksolutions.com/ page is both vulnerable and capable
of accessing ANY ACCOUNT on the following domains:
dotexpress.com
mymailbag.com
nsimail.com
dotcomnow.com
Once you have registered an account on their system, you can change the
name of your account to ANY OTHER ACCOUNT simply by entering this URL:
http://mail.dotcomnow.com/signup/poll/newaccount?dlang=default
NO PASSWORD IS REQUIRED.
Simply replace newaccount with the name of the account you would like
to access and you're in!
While it's a trivial matter to guess user names, if you want a small list
from the Internic's own database, simply type:
whois '*@dotexpress.com'
or any of the other domains they are currently running.
According to the people who have alerted us of this vulnerability, NSI
was informed of the security hole last week and failed to respond. We
believe this may help motivate them.
Have a look at some of the mail that is world readable on NSI's system.
These people thought they were sending mail to the webmaster of the
site. What's particularly ironic is the large number of people who were
complaining about the easily guessable passwords that were mailed out -
they never suspected that it was even easier to compromise their accounts
without having to even guess the password!
