More Browser Hacking:
Checking Email Security
What about reading other people's emails? Every day people
email me with excuses for why I should help them break into email
accounts. "My friend gave me permission to try to break
in." "I need to know whether my lover is cheating on
me." "Someone stole my email account from me and tech
support won't help."
You can go to jail warning: Stealing
someone's email is a U.S. Federal felony. It's also creepy.
I was worried that Google searches might turn up lots of email,
so I tried by searching intitle:"Index of /var/spool/mail".
This is the directory in which Unix and Linux type computers
store email for download by users. I only got a few hits.
You'll notice that there are no directories listed. That doesn't
mean there are no email accounts here. You can't see the directories
because none of them are world readable. You can be pretty certain
that you won't be able to sneak a look at anyone's email here.
Newbie note: In Unix, Linux and some
Windows operating systems, files can be marked so that only certain
users can read, write or run them. If a file can be read or seen
by anyone, it is called "world readable."
A computer criminal might break in and change the permissions
on someone's account in /var/spool/mail/ so the victim's email
becomes world readable. To make reading the victim's email easy,
the bad guy can also make a symbolic link to a page of the email
server's web site (if it runs a web server and is a Unix or Linux
Someone once did that to me. The bad guys could see any email
that I hadn't downloaded yet. However, I had a shell
account on the mail server. In a routine check of file permissions
I discovered the problem. In any case, this account didn't receive
email from my normal cmeinel.com address, but one that I rarely
used. All that computer crime effort for nothing...
Here's how you can check to see whether anyone can snoop on
your email by using their browser. You might have to get some
cooperation from your online service to find out the exact file
location in which you email is kept. Then type that location
into your browser, for example "http://mail.myisp.net/var/spool/mail/".
If this doesn't work, try this: "http://mail.myisp.net/../var/spool/mail/"
or "http://mail.myisp.net/../../var/spool/mail/". That
"../" means "go up one directory."
You won't be able to use "../" on a Google search
(or about any search engine) because it is used as part of a
common attack on webservers. Their firewalls or other security
programs will block those strings.
Newbie note: A string is a sequence
of characters, for example !@#$%^& or "Mary had a little