دكتور الحب
25-09-2002, 05:13 PM
اخيرااااااااااا لقيت لكم حل للسرقة الهوت ميل ....
الهدف ليس هو نشر الطريقة، وإنما توعية المستخدم العربي وإرشاده إلى العلاج أو الوقاية . [ مشاركة/ إبنغازى ]
بسم الله الرحمن الرحيم الاخوة الكرام
قرأت اليوم هذا الموضوع الجديد ( والقديم فى نفس الوقت ) باللغة الإنجليزية.
والطريقة هى ان تصل رسالة تحوى سكريبت جافا الى بريد الضحية وبمجرد فتحها تظهر له شاشة تطلب منه
إعادة الدخول من جديد Re login بإدخال إسم المستخدم وكلمة السر من جديد
فتقوم سكريبت الجافا بارسال هذه البيانات الى العنوان المذكور بداخلها
--------------------------------------------------------------------------------
<left> This document describes a serious security problem we discovered with Microsoft's Hotmail Service which allows malicious users to easily steal the passwords of Hotmail users.
The exploit involves sending e-mail messages that contains javascript code as part of the message.
When a Hotmail user views the message, the embedded javascript code forces the user to re-login to Hotmail.
In doing so, the victim's username, password, and ip address is sent to the malicious user by e-mail.
Once a malicious user knows the password to the victim's Hotmail account, he can assume full control of the account, including the ability to: delete, send, and read the victim's e-mail check mail on other mail servers that the victim has configured for mail-checking access the victim's address book discover other passwords sent as confirmation of registration in old e-mails change the password of the Hotmail account The security problem is easy to take advantage of.
A would-be hacker needs only to ................................... .
In a working demonstration of this exploit, we show that even users without their own internet service provider (ISP) can steal an arbitrary number of Hotmail passwords by using a free ..... .... ... .
We believe the "Hot"mail exploit to be a serious security concern for the following reasons:
1.The malicious code runs as soon as e-mail message is viewed
2.The resources required to launch the attack are minnimal and freely available.
3.The malicious e-mail can be sent from virtually anywhere, including libraries, internet cafes, or classroom terminals
4.The exploit will work with any javascript-enabled browser, including the Microsoft Internet Explorer and Netscape Communicator.
Because-we-can.com has notified both Microsoft and Hotmail that a security problem exists.
We are making the following detailed information about the "Hot"Mail exploit publicly available to speed the process of fixing the security hole.
In general, we believe that when the public is aware of serious security problems, expedient measures are taken to solve those problems.
Learn how ..
However, when the user types in their username and password, the information is sent back to the malicious user.
In the exploits we describe, the part of the program that does the actual "dirty-work" of mailing the password and username is provided by ..... as a (free) service to all their members.
This should not be viewed as an oversight or problem with them , since there are ...
The "Hot"Mail exploit is just one of many potentially damaging javascript programs that could be embedded into mail messages.
Since javascript code in email messages can run as soon as the message is viewed, and can alter virtually any aspect of the user interface, we urge Hotmail to implement a javascript filter.
HOW TO PROTECT YOURSELF FROM "HOT"MAIL
Until Hotmail fixes the security problem, we suggest that Hotmail users turn off javascript in their browsers.
Even users familiar with our version of the exploit may be vulnerable to other javascript programs embedded in Hotmail messages.
Netscape users can turn javascript off in their preferences (edit / preferences / advanced / disable javascript).
Microsoft Internet Explorer users can turn jscript off in their preferences (view / internet options / security / custom settings / scripting / disable active scripting).
This demonstrates how we used the "Hot"Mail exploit with minimal resources to steal passwords from Hotmail users.
Our goal was to show that using only the items listed below, we could steal a victim's Hotmail password and remain anonymous.
INGREDIENTS: 1 Computer with Internet Access 1 Netscape Mail (or equivalent e-mail program) 1 Notepad (or equivalent text editor)
STEP 1: We visited hotmail.com and registered for a free e-mail account. We did not have to enter valid contact information during the registration process.
STEP 2: .......
</left>
--------------------------------------------------------------------------------
طبعا هدفى ليس هو نشر الطريقة وإنما توعية المستخدم العربى وإرشاده الى العلاج او الوقاية
والوقاية هى :
1- الانتباه الى هذه الحيلة سواء كانت فى بريد الـ HOTMAIL أو غيره اى انك لا تستجيب لرسالة تطلب منك إعادة إدخال البيانات , والطريقة الصحيحة هى إعادة الدخول للموقع إذا ما حدث إنقطاع .
2- عدم فتح الرسائل المشبوهة
3- تعطيل تشغيل جافا سكريبت عن طريق :
Tools
Internet options
Security
Custom settings
Scripting
Disable active scripting
وقاكم الله وعفاكم
والسلام عليكم ورحمة الله وبركاته
الهدف ليس هو نشر الطريقة، وإنما توعية المستخدم العربي وإرشاده إلى العلاج أو الوقاية . [ مشاركة/ إبنغازى ]
بسم الله الرحمن الرحيم الاخوة الكرام
قرأت اليوم هذا الموضوع الجديد ( والقديم فى نفس الوقت ) باللغة الإنجليزية.
والطريقة هى ان تصل رسالة تحوى سكريبت جافا الى بريد الضحية وبمجرد فتحها تظهر له شاشة تطلب منه
إعادة الدخول من جديد Re login بإدخال إسم المستخدم وكلمة السر من جديد
فتقوم سكريبت الجافا بارسال هذه البيانات الى العنوان المذكور بداخلها
--------------------------------------------------------------------------------
<left> This document describes a serious security problem we discovered with Microsoft's Hotmail Service which allows malicious users to easily steal the passwords of Hotmail users.
The exploit involves sending e-mail messages that contains javascript code as part of the message.
When a Hotmail user views the message, the embedded javascript code forces the user to re-login to Hotmail.
In doing so, the victim's username, password, and ip address is sent to the malicious user by e-mail.
Once a malicious user knows the password to the victim's Hotmail account, he can assume full control of the account, including the ability to: delete, send, and read the victim's e-mail check mail on other mail servers that the victim has configured for mail-checking access the victim's address book discover other passwords sent as confirmation of registration in old e-mails change the password of the Hotmail account The security problem is easy to take advantage of.
A would-be hacker needs only to ................................... .
In a working demonstration of this exploit, we show that even users without their own internet service provider (ISP) can steal an arbitrary number of Hotmail passwords by using a free ..... .... ... .
We believe the "Hot"mail exploit to be a serious security concern for the following reasons:
1.The malicious code runs as soon as e-mail message is viewed
2.The resources required to launch the attack are minnimal and freely available.
3.The malicious e-mail can be sent from virtually anywhere, including libraries, internet cafes, or classroom terminals
4.The exploit will work with any javascript-enabled browser, including the Microsoft Internet Explorer and Netscape Communicator.
Because-we-can.com has notified both Microsoft and Hotmail that a security problem exists.
We are making the following detailed information about the "Hot"Mail exploit publicly available to speed the process of fixing the security hole.
In general, we believe that when the public is aware of serious security problems, expedient measures are taken to solve those problems.
Learn how ..
However, when the user types in their username and password, the information is sent back to the malicious user.
In the exploits we describe, the part of the program that does the actual "dirty-work" of mailing the password and username is provided by ..... as a (free) service to all their members.
This should not be viewed as an oversight or problem with them , since there are ...
The "Hot"Mail exploit is just one of many potentially damaging javascript programs that could be embedded into mail messages.
Since javascript code in email messages can run as soon as the message is viewed, and can alter virtually any aspect of the user interface, we urge Hotmail to implement a javascript filter.
HOW TO PROTECT YOURSELF FROM "HOT"MAIL
Until Hotmail fixes the security problem, we suggest that Hotmail users turn off javascript in their browsers.
Even users familiar with our version of the exploit may be vulnerable to other javascript programs embedded in Hotmail messages.
Netscape users can turn javascript off in their preferences (edit / preferences / advanced / disable javascript).
Microsoft Internet Explorer users can turn jscript off in their preferences (view / internet options / security / custom settings / scripting / disable active scripting).
This demonstrates how we used the "Hot"Mail exploit with minimal resources to steal passwords from Hotmail users.
Our goal was to show that using only the items listed below, we could steal a victim's Hotmail password and remain anonymous.
INGREDIENTS: 1 Computer with Internet Access 1 Netscape Mail (or equivalent e-mail program) 1 Notepad (or equivalent text editor)
STEP 1: We visited hotmail.com and registered for a free e-mail account. We did not have to enter valid contact information during the registration process.
STEP 2: .......
</left>
--------------------------------------------------------------------------------
طبعا هدفى ليس هو نشر الطريقة وإنما توعية المستخدم العربى وإرشاده الى العلاج او الوقاية
والوقاية هى :
1- الانتباه الى هذه الحيلة سواء كانت فى بريد الـ HOTMAIL أو غيره اى انك لا تستجيب لرسالة تطلب منك إعادة إدخال البيانات , والطريقة الصحيحة هى إعادة الدخول للموقع إذا ما حدث إنقطاع .
2- عدم فتح الرسائل المشبوهة
3- تعطيل تشغيل جافا سكريبت عن طريق :
Tools
Internet options
Security
Custom settings
Scripting
Disable active scripting
وقاكم الله وعفاكم
والسلام عليكم ورحمة الله وبركاته