Main » 2011 » Март » 16 » Small problems big companies
Small problems big companies
I draw your attention to the fact that the first reports of problems described in this article have been transferred directly to the two Vice Technical Director Meyl.Ru August 16, 2010. In connection with the apparent lack of interest from the leadership (the promised call from the manager "next week" I did not wait), through the four weeks after formal notification, I publish the full information on all found me vulnerabilities in the service Meyl.Ru.

Service Pochta.Meyl.Ru

Automatically delete messages

The first vulnerability, in general, and vulnerability, as well, mischief. In the spy movies of the message self-destruct after reading. You open the letter, go to link and the letter itself climbs into the basket. Very comfortable, true? Spam kills himself after reading.

Automatic sending of spam

Imagine you're a spammer, and you have to send a million messages all over the world. Usually spammers use botnets, but it turns out there's another, simpler way of doing mailings. Compose a letter and sends it to N users Sending spam to the addresses of Google and Yandex take over service.

How it works:

Easy user clicks on a link on the advertised website (via redirection). After opening the page with the redirect to an advertising site, email is automatically forwarded to his email address on 15i to other addresses (theoretically possible, and more). Address lists can be substituted for each their own, for example, of the total base. The most annoying that the user does not even notice it, because the function "Forward", through which all this up and running, does not keep copies of sent messages.

Service Ezhednevnik.Meyl.Ru

I do not know if anyone uses something of this service, but I think it's unlikely anyone will like if all its entries in the diary, all events, past and present future, all problems solved and unsolved in a "perfect" time wasted, with no possibility of recovery. However, it is a button made to the service. Button lurking in the "Settings" and said modestly, "to clean daily.

I do not dispute, the button is really useful and interesting, but it turned out that take advantage of such a convenient removal of your data can be anyone who lure you to their website. Enough on the site to place a small script, and if you were careless enough to be logged on the service at this unfortunate moment, your diary will begin its life with a clean white sheet.

Service Dengi.Meyl.Ru

All is well in the service Dengi.Meyl.Ru before each operation of the replenishment, transfer or payment of money Meyl.Ru, you will persistently ask the billing password. This can not but rejoice. However, I think you are very angry, if you suddenly have access to your money will be limited, and forever (to quote from the site

You can not enter into the system, if the IP-address changes and will not be provided list of allowed IP-addresses.
Administration of the system will not be able to withdraw or modify the restriction by IP-address under any circumstances.

A careful reader sarcastically says: "only himself to blame, and will be right, but only partly. After all, the ability to add IP addresses is not only the user service Dengi.Meyl.Ru, but his detractors. Why blocking by IP is not password protected, I do not know. The fact remains, add a new IP to the list easier than ever, it is enough to force users to visit the site you want. If you add the current user's IP with a dynamic address, the problem could be even once and not notice.


Sometimes I have thought that I was paranoid. I use Firefox with the plugin Noscript, cleans up all cookies automatically after closing the browser window, I use Roboform to the generator of unique passwords for each site, using anti-virus, open only to certain ports to specific IP addresses. But after I look at another masterpiece of thought and the code, I'm starting to think that this is not enough. Looks like I'm not yet ready to entrust the money to service Dengi.Meyl.Ru, are you?
Views: 425 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: