|
Written by Gregory R. Panakkal
|
|
Tuesday, 19 June 2007 |
|
ZapakMail recently caught my attention due to the amount of advertisements that are shown on Indian TV Channels.
Well, the main point they had to put forward through their ads is that its the fastest thats available (in India?).
Well, since I personally put security over sheer 'mindless' speed... I decided to check if my mail account / inbox will remain secure... or rather, if the users are protected against even simple attacks such as XSS (Cross Site Scripting) that can lead to cookie stealing / session hijacking.
Anyway, in my very first test... I found the following.... hmmmpfff....
Well, its just a simple XSS with the following code include in the message's html body...
<iframe src="javascript:alert('zapakmail xss!!')"></iframe>
Now, the most scary part that I found is that, if you decide to select "Remember Me"... you are doomed!! Zapak Mail stores your username and password in PLAINTEXT inside the cookies... now... now.... thats it.... I decided No more of Zapak Mail for me!!
|
