<<< Date Index >>>     <<< Thread Index >>>

[IP] how to hack into a mailing list



---------------------------- Original Message ----------------------------
Subject: how to hack into a mailing list
From:    "Meng Weng Wong" <mengwong@xxxxxxxxx>
Date:    Fri, April 7, 2006 2:41 am
To:      "David Farber" <dave@xxxxxxxxxx>
Cc:      "Meng Wong" <mengwong@xxxxxxxxx>
--------------------------------------------------------------------------

Guessing the password is pretty much your biggest hurdle.  (If the
password accidentally slips through and is exposed to the list, well,
that's a freebie.)

Once you've got the password, you're in -- you can log in to the
mailing list as the listowner.  The listowner account can do just
about anything; after all, you own the list.  For example, you can
change your email address in the system, so that moderation requests
and other administrative notices go to a different place than usual.

Listowners spend a lot of time dealing with those moderation requests
and administrative notices.  A good mailing list manager makes it
easy for you to get through the workload by offering a secret link in
each message.  That link takes you straight to the website, logs you
in, gives you a decision to make, and asks what you want to do.

Unfortunately, if the mailing list gets hacked, and the listowner
address gets changed to something it shouldn't be, and some
moderation requests get generated ... why, then, some malicious party
now has access to those secret links.  Even after the real listowner
changes the password back to what it should be, those links offer a
back door into the website.

This is why, even after the initial compromise was resolved, a
subsequent compromise was possible.

In nine years, this was the first time I've seen a security breach
like this.  Now, with hindsight, we know what to do: after a break-
in, all passwords must be reset, all web sessions must be
inactivated, and all secret direct-access links must be deleted.

In addition, we're looking at a security upgrade to the product.  In
the endless chess game between security and convenience, perhaps it's
time to disable the direct-access link; maybe we should require that
listowners log in each time they have to perform an administrative
action.

And that's the moral of the story: passwords aren't the be-all and
end-all.  A system, once compromised, can be backdoored.  And, sadly,
it seems that in every generation there are those who are doomed to
learn these lessons again and again, until the end of time.





-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/