Earlier today, a guy sent us an email on our email@example.com address with the subject “Security Flaw – yo.co.zw” Here are the contents of that email:
I know it’s free webmail. The returns from ads are perhaps meagre and not worth any extra time coding and troubleshooting. But that does not and should not justify silly loopholes on a webmail that i have loved for so long (in my quest to see local tech thrive that is.)
Let it be known that i am no geek, nerd, whiz-kid or whatever entitles me to be and be labeled a hacker. Doing my cyber rounds i stumble what i deem to be the silliest loophole ever on the net.
TechZim Admin, go onto yo.co.zw, sign-up for a free firstname.lastname@example.org email address, and mail me that e-mail address and i will be sure to reply you with a snapshot of your inbox. When satisfied, then i will tell you how to do it. so that Yo!Africa can fix this
We created a email@example.com account, sent some mail to it and gave our hacker the email address. He responded shortly after with a screenshot our new mailbox (below)
We’re still not sure how he did it as our comms with him went dead before we discussed everything. We tried a few simple tricks of our own just to see if we could get into a mailbox without entering a password. We did, and here’s how: when you log into the free webmail system on the www.yo.co.zw website, you get a link that you have to click to open your mailbox. The link’s underlying url looks something like this: http://www.yo.co.zw/index.php?option=com_webmail&name=tz_at_yo
Now, replacing the username (tz_at_yo in this case) with any other free webmail Yo address would get you into the user’s mailbox. Yes, embarrassingly simple. We tried a couple of random addresses and we got into a few (we didn’t read the emails ofcourse).
We alerted someone at YoAfrica and it got fixed within the hour.
We’re stressing that this is “free webmail” because, as far as we could tell, the flaw only affected the free yo.co.zw email addresses that users sign up for at the www.yo.co.zw website. At the moment, nothing suggests that private domains with email hosted at YoAfrica are affected.
It’s also not clear how long it’s been like this. We’ve written to the YoAfrica leadership to get more information and will update when we hear back.
YoAfrica is one of Zimbabwe’s biggest ISPs. Going forward, it’ll probably be difficult for anyone reading this to trust YoAfrica with their email. And sadly, the trust issue may affect other local ISPs as well.
The guy that sent us the hack is called Chrispen Nyamandwe, he’s a student at NUST.