What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

More Browser Hacking: Checking Email Security

What about reading other people's emails? Every day people email me with excuses for why I should help them break into email accounts. "My friend gave me permission to try to break in." "I need to know whether my lover is cheating on me." "Someone stole my email account from me and tech support won't help."

You can go to jail warning: Stealing someone's email is a U.S. Federal felony. It's also creepy.

I was worried that Google searches might turn up lots of email, so I tried by searching intitle:"Index of /var/spool/mail". This is the directory in which Unix and Linux type computers store email for download by users. I only got a few hits.

You'll notice that there are no directories listed. That doesn't mean there are no email accounts here. You can't see the directories because none of them are world readable. You can be pretty certain that you won't be able to sneak a look at anyone's email here.

Newbie note: In Unix, Linux and some Windows operating systems, files can be marked so that only certain users can read, write or run them. If a file can be read or seen by anyone, it is called "world readable."

A computer criminal might break in and change the permissions on someone's account in /var/spool/mail/ so the victim's email becomes world readable. To make reading the victim's email easy, the bad guy can also make a symbolic link to a page of the email server's web site (if it runs a web server and is a Unix or Linux type system).

Someone once did that to me. The bad guys could see any email that I hadn't downloaded yet. However, I had a shell account on the mail server. In a routine check of file permissions I discovered the problem. In any case, this account didn't receive email from my normal cmeinel.com address, but one that I rarely used. All that computer crime effort for nothing...

Here's how you can check to see whether anyone can snoop on your email by using their browser. You might have to get some cooperation from your online service to find out the exact file location in which you email is kept. Then type that location into your browser, for example "http://mail.myisp.net/var/spool/mail/". If this doesn't work, try this: "http://mail.myisp.net/../var/spool/mail/" or "http://mail.myisp.net/../../var/spool/mail/". That "../" means "go up one directory."

You won't be able to use "../" on a Google search (or about any search engine) because it is used as part of a common attack on webservers. Their firewalls or other security programs will block those strings.

Newbie note: A string is a sequence of characters, for example !@#$%^& or "Mary had a little lamb".

More --->>

 
Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

Return to the index of Guides to (mostly) Harmless Hacking!

© 2013 Happy Hacker All rights reserved.