Chrome permits bad websites to send spam from one's email account???

[cyberdiva]

Hi, all.  I'm trying to get more information about something I've just been told about Google Chrome.  Yesterday, I received a spam message from someone I know.  I assumed that her email account had been hacked, and I wrote to her to let her know.  Today, I received a reply from her, saying that "Actually, there is some kind of security gap in Google Chrome that allows a bad website to send out spam from my account."  I'm highly skeptical of this explanation.  I'd imagine that 1) if there were so serious a flaw in Chrome, there would have been mention of it in lots of places that I read, and 2) Google would have quickly found a way to fix it.  I don't use Chrome, but if I did, I'd drop it like a hot potato if it had such a flaw.   Has anyone here heard of or experienced this flaw?

[Jibz]

Yesterday, I received a spam message from someone I know.

-cyberdiva (June 18, 2012, 08:07 AM)

Just for the record, when you say "from", do you mean you checked the headers and it looked like it was a message genuinely sent from her account, or just that the "From:" field in the e-mail contained her e-mail address?

[cyberdiva]

Just for the record, when you say "from", do you mean you checked the headers and it looked like it was a message genuinely sent from her account, or just that the "From:" field in the e-mail contained her e-mail address?

-Jibz (June 18, 2012, 08:35 AM)

Good question, Jibz.  The message was such obvious spam that I didn't bother to check the headers.  I simply assumed that someone had hacked her MSN email account and was now sending spam to everyone in her addressbook.  I wrote to let her know, and in response I got the explanation I quoted in my original message here.  It didn't seem like a likely explanation, so I thought I'd post a message here and see whether anyone has heard of a similar "problem" with Chrome.  But now that you've asked, I looked at the headers.  There weren't a lot, especially before the message was received at my university (where I have the email account to which the message was sent).  Here are some key pieces of info from the headers (I've changed the name of the person I know to janedoe and my university's address to ********.edu):

The return path header was Return-Path: <[email protected]>

The headers from the start to when it got to my university were as follows:
Received: from snt0-omc4-s11.snt0.hotmail.com (snt0-omc4-s11.snt0.hotmail.com [65.55.90.214])
   by ********.edu (mx3.********.edu) with ESMTP id q5I2vdq7025380
   for <cyberdiva@********.edu>; Sun, 17 Jun 2012 22:57:41 -0400 (EDT)
Received: from SNT102-W47 ([65.55.90.201]) by snt0-omc4-s11.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
    Sun, 17 Jun 2012 19:57:38 -0700
Message-ID: <[email protected]>
Content-Type: multipart/alternative;
   boundary="_cea715e6-4a2e-4c6d-9814-454a114fd041_"
X-Originating-IP: [189.224.78.19]
From: Jane Doe <[email protected]>

If the Originating IP # is not forged, it's in Mexico.  I don't know where this person lives (I "know" her only via listservs we're both on); I kinda doubt she's in Mexico, though it's not impossible.  The message-ID ends in @phx.gbl, which is apparently something that appears in many messages from Microsoft-related mail.  Since she's got an account at msn.com, I guess that makes sense.  Perhaps so too does the appearance of hotmail.com in one of the headers, I don't know.  All the unshown headers after these (leading up to the Return-Path header) look normal.  They're all internal to my university.

So no, it's not just the "From" field that makes me think it came from her account, but the Originating-IP in Mexico does give me pause.  I'm not sure, however, whether the headers indicate clearly whether her email account was simply hacked or whether somehow a "bad website" was able to send spam from her account (her explanation).  Any thoughts?

Thanks in advance.

[nudone]

I'd go with Hotmail hacked. It's happened to me, same kind of thing, everyone in my Hotmail contacts started receiving spam saying it was from me.

[Jibz]

I'd go with Hotmail hacked. It's happened to me, same kind of thing, everyone in my Hotmail contacts started receiving spam saying it was from me.

-nudone (June 18, 2012, 11:15 AM)

Yeah, the headers look fairly believable, and if there was some security hole that would allow this in any browser, I am sure it would be widely publicized.

[cyberdiva]

Thanks, nudone and Jibz.  I tend to agree with you.  I can't imagine why she thinks it's a security hole in Chrome that is causing this, especially since there doesn't seem to have been any publicity about this rather serious problem.  And yes, I know several people who have had their hotmail accounts hacked.  But is hotmail the same as msn?  I hadn't thought so, though they're both Microsoft.  She's got an msn.com address.  Oh well, no reason that msn is any safer than hotmail.

Again, many thanks.  I figure if the folks at DonationCoder haven't heard about this supposed security hole, it probably doesn't exist.

[NigelH]

Actually, I was hit by something similar via my Yahoo email account just a few weeks ago
I clicked on a link (in an email that I thought was valid) but did not verify the link first. Yeah , stupid I know.
It was an email from a friend and the subject matter appeared similar to what we'd been discussing recently.
I was signed into my email a/c at the time and the Javascript code on the site managed to access my Yahoo contacts and broadcast the same spam link to many of my contacts - including subscription list email addresses. Ticked me off no end.
I was using Opera 11.64 at the time and thought my Yahoo a/c had been hacked.
The IP sign-in logs in the Yahoo account had only my IP address - the last sign-in was the day before.

If anyone would like see the specific links, PM me.

Phishing target site at WOT:  http://www.mywot.com...orecard/wa15news.net
Whois info : http://whois.domaint...ols.com/wa15news.net
This was one target site as well:  http://whois.domaint...ols.com/ca15news.net

Pity it was not caught by OpenDNS phishing checks.
Unfortunately, I also had Opera's Fraud and Malware Protection turned off (not any more though).

[Jibz]

That is interesting .. just for clarity, were you looking at the e-mail where you clicked a link from within your yahoo account, or was it somewhere else? I hope it is not possible to access stuff like your address book from remote sites.

[Deozaan]

Yeah I've heard of this security problem before. It's called PEBKAC. Unfortunately it is a vulnerability that exists with all browsers.

[NigelH]

...were you looking at the e-mail where you clicked a link from within your yahoo account ...

-Jibz

Yes - did a right-click then open in background tab.

.. It's called PEBKAC ..

-Deozaan

I trust you enjoyed that.

[Jibz]

...were you looking at the e-mail where you clicked a link from within your yahoo account ...

-Jibz

Yes - did a right-click then open in background tab.

.. It's called PEBKAC ..

-Deozaan

I trust you enjoyed that.

-NigelH (June 19, 2012, 05:45 AM)

Well, if the browser allows arbitrary javascript in one tab to do stuff on another tab, I would call that more of a browser problem than an "Error 40". Or perhaps a web e-mail API problem?