How I Hacked The Star’s E-mail

Ok it sounds like a sensational topic, but it’s actually true, it happened quite some time back (January), but I sat on it for some time to give them a chance to fix it.

Even though I believe in full disclosure, we have to be responsible to vendors and organisations too.

Basically it went down like this, I sent an E-mail to the editor of The Star[/url] about my feelings on the Malaysian Summons system and my post about it[/url].

He clicked on the link from a web based e-mail system and came to read the article, in doing so he passed a referal string to my site (This is a string holding the information of where you just came from, so if you came from a google search on donkeys I’ll get the referal string http://www.google.com.my/search?hl=en&q=donkeys&meta=).

So in the referal string I got from the web based e-mail page, contained the session ID for the Editor who was reading his mail, this session ID wasn’t cookie based, or machine based, it was just a Session ID, which enabled me to log straight into the Editors e-mail..

The referal string I got was something like this:

http://strmal.thestar.com.my/Xf3969c9b9d9b929c9a9e6012d8ab/rmail.41444.cgi?&mbx=Main

Xf3969c9b9d9b929c9a9e6012d8ab in this case is the session ID, simply by entering this link into my browser I could access the editors mail account, I tested and I could change everything except the password (as I don’t know the existing password) but by sending mail from this account I could probably social engineer the password to be changed.

I could read all of the mail in the inbox and other folders

And change any settings I want..

I ever gave them a more accurate signature:

If everyone is using this webmail system I could easily hijack their accounts too, this would be done by sending a HTML mail with a simple image imbedded inside, hosted on my domain, when the mail loaded it would load the image remotely (which your webmail allows I checked) and I would have the referer URL again in my weblogs with the relevant session ID.

Again I could just paste this into my browser and access the account of anyone using this webmail software.

It shows the current state of Information (in)Security in Malaysia.

I did of course e-mail them as soon as I found at and told them how to fix it.

This is just for your information.

On a similar note, if any of you have heard of The Global Malaysian Network[/url], again under the control of The Star[/url] was programmed insecurely.

The Global Malaysian Network is an initiative by The Star Malaysia (www.thestar.com.my) to facilitate networking and to tap into the resources, knowledge, skills, investment and contacts that Malaysians can offer to other Malaysians wherever they are in the world. The directory requires members to submit their personal details including their name, marital status, postal address, contact details, professional/occupation information and even educational background details.

Due to bad programming practices and unchecked variables there are several SQL injection vulnerabilities in the web application that powers the GM Directory. By manipulating the input strings a malicious attacker could potentially compromise the security of the database server and disclose any content within the database including private and sensitive information of the Directory members.

Owned by my friends over at Hack in the Box yesterday.

So The Star, I reckon you need to buck up your ideas when it comes to Infosec 🙂

Comments

comments

Subscribe

You can subscribe via e-mail to get my posts in your Inbox, or stalk me on numerous other platforms.

Follow my Dayre!


32 Responses to How I Hacked The Star’s E-mail

  1. God June 16, 2005 at 10:02 pm #

    bro, i still feel is not such a good idea posting this !!!!! serious …no matter how truthful or helpful you want to be. remember who runs the country.

  2. simon June 16, 2005 at 10:02 pm #

    dude, you should have told star the problem on the condition that they hire you as a consultant, like dogbert!

  3. Din June 16, 2005 at 10:15 pm #

    briliant! but better take care of yourself yah.

  4. Bone June 16, 2005 at 10:39 pm #

    Lol!… pwned. They’re prolly pissin now.

  5. hwachai June 16, 2005 at 10:45 pm #

    deep …… lll …..

  6. n305er June 16, 2005 at 10:51 pm #

    I guess the same trick wouldn’t work again….

  7. God June 16, 2005 at 11:08 pm #

    I guess the same trick wouldn’t work again….by n30er.

    of course it will, that’s why we have so many security flaws in malaysia.

    should have tried bank negara instead.

  8. FireAngel June 16, 2005 at 11:19 pm #

    YOU GEEEEEEK! YOU DA PWN!

    … but won’t u get your ass into trouble for infringement of privacy or sumshits like that? I hope not!!!!!

    It’s a helluva good way to send in yoru resume though. 😛

  9. kimberlycun June 16, 2005 at 11:24 pm #

    You damn ons. sexy ons.

  10. ShaolinTiger June 16, 2005 at 11:55 pm #

    Haha not really, look at it this way, if you left an important document face up on your desk and expected no one to read it, would that be realistic?

    E-mail isn’t confidential anyway, it’s like a postcard, unless you encrypt it, any of the postmen (servers) along the way can read it.

  11. ShaolinTiger June 16, 2005 at 11:56 pm #

    Come let me hack you.

  12. suanie June 17, 2005 at 1:26 am #

    so damn geeky

  13. ShaolinTiger June 17, 2005 at 1:34 am #

    Can I get a w00t w00t?!?

  14. JxT2J June 17, 2005 at 3:52 am #

    Dude you rawk.

  15. jennhuiwen June 17, 2005 at 7:07 am #

    yeah..right!..u rock!…wtf?…teach me woi!hhaaaa

  16. n305er June 17, 2005 at 10:17 am #

    Just FYI, this trick works on Yahoo as well.. 😀

  17. archangel June 17, 2005 at 8:49 pm #

    hey.. found anything interesting in the editor mail box.. ??

  18. frank_omatic June 17, 2005 at 11:26 pm #

    good job…tiger

  19. Jaja June 19, 2005 at 2:28 am #

    hey be nice la they’re excellent to hv beers with!

  20. jennhuiwen June 19, 2005 at 3:03 am #

    oiks..update la…19 today k

  21. Ted June 21, 2005 at 12:48 pm #

    Good job, ST!

    The state of information security in any largish organization can be frightening – it seems the larger they get, the more holes there are, even if they have an InfoSec cell.

    A lot of times it seems to boil down to the organization having some “convenient service” in place that they want to keep, even once they’ve been audited. They ignore the advice of the contractors, only to end up 0Wn3D

    You’d think people/companies would take IS more seriously, especially in this day and age – but 9/10 times they don’t. Scary…

    Cheers,

    Ted

  22. tormentt June 22, 2005 at 10:20 am #

    OK, I seriously do not know if you wrote that post in English or Timbuktuan. But it sounds scary nontheless 🙂 So much for privacy huh?

  23. Old School June 23, 2005 at 4:58 am #

    As I have been telling everyone for years. The Internet is a library and not a place to store important or secret information. Its just old school news and the more they build on old platforms the worse it gets.
    “If one man can make it, another can break it.”

  24. Darren June 23, 2005 at 9:39 pm #

    Hahaha… U are da’man!!!

  25. CH June 24, 2005 at 12:36 pm #

    Maximum pwnage!

    If it was evil me, I would have sent a few emails to me friends. Like, “congrats, you’ve been voted the sexiest blogger, and we’d like to interview you at Low Yat at 12 pm today.”

    then, sit back and let the joy of maximum prankin’ wash over you

  26. BM June 25, 2005 at 12:42 am #

    hai apa kabar awak adik itu kau sayang awak kau satu kini

  27. ShaolinTiger June 25, 2005 at 12:45 am #

    khabar baik, tapi saya tak tau you nak cakap aper

  28. Paranoid June 26, 2005 at 12:49 am #

    haha this page also must have spy on our pc rite….

  29. pikachu June 27, 2005 at 4:49 am #

    I don’t believe you..
    not enought proof. show me more. 🙂

  30. Fucker June 28, 2005 at 2:22 pm #

    lolz, just a stupid mistake made by stupid web developer and discovered by nerd internet users. Nothing much special and should not say “hack”

  31. ShaolinTiger June 28, 2005 at 9:08 pm #

    lolz, just a stupid comment made by stupid ignorant fucker with no balls who posts anonymously and read by me. Nothing much special, should not say “comment” should say anal dribble.

  32. encik wan December 11, 2007 at 10:27 pm #

    ShaolinTiger, what do you think of owasp.org?