A major security vulnerability exists in NetEase enterprise mail (such as Yunxiao Street/Hunan Satellite TV)

A major security vulnerability exists in NetEase enterprise mail (such as Yunxiao Street/Hunan Satellite TV)

Many corporate post offices have chosen Netease enterprise mail. All of the three companies on Netease's enterprise mail platform, mogujie.com, Caijing and Hunan Satellite TV, were tested successfully.

After a long struggle, this is not a vulnerability. It should not be mentioned. Tests have proved that this is a security vulnerability because it affects the security of every company on Netease enterprise mail platform.


[Vulnerability 1] on the Enterprise logon portal page, the echo information prompts whether an account exists. This constitutes the first security threat.
 

[Vulnerability 2] When logging on to the portal page, use the burp dictionary to scan accounts in batches. There are no restrictions on the logon portal (the password remains the same when scanning accounts, only the user name is traversed ), by attaching 1 million or 10 million frequently used name dictionaries, you can guess that most of the existing accounts of any company
 

[Vulnerability 3] In fact, the third step is not a vulnerability, but there are no restrictions in the first two steps, it also makes this step a successful login. If you know which accounts exist, you can perform batch logon. Each account has five password retries. In fact, five password opportunities are enough (five common passwords, such as 1234 qwer, abc123, q1w2e3r4, and 1qaz2wsx)
 

After the above steps are processed, the mushroom chicken, no. 1 finance, and Hunan Satellite TV were selected for testing.

What threats does this vulnerability pose to enterprises? You can monitor the emails that have been attacked for a long time, export the enterprise address book, and secretly set up email CC emails. Of course, you can do more than this.
 

 

 

Solution:

1. if an account exists on the logon page, the system prompts "User Name or secret error"

2. Enable source ip address restriction to prevent brute-force attacks

3. the user also needs a verification code when logging on to the system for the first time. After all, entering a verification code does not affect the user experience.

4. Ask Netease doll (Official doll, not game doll)