Hey all

A friend of mine just designed a page and added the yahoo and gmail login boxes to it. Now, it works. What I want to ask is this. If I he was to host it, and use it to login to yahoo, gmail whatever, would it be secure? My guess is it wouldn't be, but I could be wrong. By secure, I mean will it be possible to sniff the username and password when he uses this page to login?

The code for this file is as follows. Also, the page is a regular HTML page (.htm) and not ASP, PHP etc.

<html>
<script type=text/javascript>
<!--
  var start_time = (new Date()).getTime();
// -->
</script>

<body>
<table width="542"><tr> <td>


<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Welcome</title>

<style type=text/css>
<!--
body,td,div,p,a,font,span {font-family: arial,sans-serif}
body {margin-top:2}

.c {width: 4; height: 4}

.bubble {background-color:#C3D9FF}

.tl {padding: 0; width: 4; text-align: left; vertical-align: top}
.tr {padding: 0; width: 4; text-align: right; vertical-align: top}
.bl {padding: 0; width: 4; text-align: left; vertical-align: bottom}
.br {padding: 0; width: 4; text-align: right; vertical-align: bottom}

.form-noindent {background-color: #ffffff; border: #C3D9FF 1px solid}

// -->
</style>
<script type=text/javascript src="https://mail.google.com/mail?view=page&name=browser"></script>

<script type=text/javascript>
<!--

if (top.location != self.location) {
  top.location = self.location.href;
}

function SetGmailCookie(name, value) {
  document.cookie = name + "=" + value + ";path=/;domain=.google.com";
}

function lg() {
  var now = (new Date()).getTime();

  var cookie = "T" + start_time + "/" + start_time + "/" + now;
  SetGmailCookie("GMAIL_LOGIN", cookie);
}

function gaiacb_onLoginSubmit() {
  lg();
  if (!fixed) {
    FixForm();
  }
  return true;
}

function StripParam(url, param) {
  var start = url.indexOf(param);
  if (start == -1) return url;
  var end = start + param.length;

  var charBefore = url.charAt(start-1);
  if (charBefore != '?' && charBefore != '&') return url;

  var charAfter = (url.length >= end+1) ? url.charAt(end) : '';
  if (charAfter != '' && charAfter != '&') return url;

  if (charBefore == '&') {
    --start;
  } else if (charAfter == '&') {
    ++end;
  }
  return url.substring(0, start) + url.substring(end);
}

var fixed = 0;

function FixForm() {
  if (is_browser_supported) {
    var form = el("gaia_loginform");
    if (form && form["continue"]) {
      var url = form["continue"].value;
      url = StripParam(url, "ui=html");
      url = StripParam(url, "zy=l");
      form["continue"].value = url;
    }
  }
  fixed = 1;
}

function el(id) {
  if (document.getElementById) {
    return document.getElementById(id);
  } else if (window[id]) {
    return window[id];
  }
  return null;
}

var CP = [
 [ 1136102400000, 2680 ],
 [ 1149145200000, 2730 ],
 [ 1167638400000, 2800 ]
];

var quota;

var ONE_PX = "https://mail.google.com/mail/images/c.gif?t=" +
             (new Date()).getTime();

function LogRoundtripTime() {
  var img = new Image();
  var start = (new Date()).getTime();
  img.onload = GetRoundtripTimeFunction(start);
  img.src = ONE_PX;
}

function GetRoundtripTimeFunction(start) {
  return function() {
    var end = (new Date()).getTime();
    SetGmailCookie("GMAIL_RTT", (end - start));
  }
}

function MaybePingUser() {
  var f = el("gaia_loginform");
  if (f.Email.value) {
    new Image().src = 'https://mail.google.com/mail?gxlu=' +
                      encodeURIComponent(f.Email.value) +
                      '&zx=' + (new Date().getTime());
  }
}

function OnLoad() {
  gaia_setFocus();

  MaybePingUser();
  el("gaia_loginform").Passwd.onfocus = MaybePingUser;

  LogRoundtripTime();
  if (!quota) {
    quota = el("quota");
    updateQuota();
  }

  LoadConversionScript();
}

function updateQuota() {
  if (!quota) {
    return;
  }

  var now = (new Date()).getTime();
  var i;
  for (i = 0; i < CP.length; i++) {
    if (now < CP[i][0]) {
      break;
    }
  }
  if (i == 0) {
    setTimeout(updateQuota, 1000);
  } else if (i == CP.length) {
    quota.innerHTML = CP[i - 1][1];
  } else {
    var ts = CP[i - 1][0];
    var bs = CP[i - 1][1];
    quota.innerHTML = format(((now-ts) / (CP[i][0]-ts) * (CP[i][1]-bs)) + bs);
    setTimeout(updateQuota, 1000);
  }
}

var PAD = '.000000';

function format(num) {
  var str = String(num);
  var dot = str.indexOf('.');
  if (dot < 0) {
     return str + PAD;
  } if (PAD.length > (str.length - dot)) {
    return str + PAD.substring(str.length - dot);
  } else {
    return str.substring(0, dot + PAD.length);
  }
}

var google_conversion_type = 'landing';
var google_conversion_id = 1069902127;
var google_conversion_language = "en_US";
var google_conversion_format = "1";
var google_conversion_color = "FFFFFF";

function LoadConversionScript() {
  var script = document.createElement("script");
  script.type = "text/javascript";
  script.src = "https://www.googleadservices.com/pagead/conversion.js";
}

// -->
</script>

</head>
<body bgcolor=#ffffff link=#0000FF vlink=#0000FF onload="OnLoad()">

<table width=30% border=0 align=center cellpadding=0 cellspacing=0>
  <tr valign=top>
    <td width=1%><img src=https://mail.google.com/mail/help/images/logo1.gif border=0 width=143 height=59 alt=Gmail align=left vspace=10/></td>

  </tr>
</table>
<br>

<table width=30% align=center cellpadding=5 cellspacing=1>

  <tr>

      <td valign=top>
        <!-- login box -->
        <table class=form-noindent cellspacing=3 cellpadding=5 width="99%" bgcolor=#E8EEFA>
          <tr bgcolor=#E8EEFA>
            <td valign=top style=text-align:center nowrap=nowrap>

<div id=login>

                          <script type="text/javascript"><!--



function gaia_onLoginSubmit() {
  if (window.gaiacb_onLoginSubmit) {
    return gaiacb_onLoginSubmit();
  } else {
    return true;
  }
}

function gaia_setFocus() {
  var f = null;
  if (document.getElementById) { 
    f = document.getElementById("gaia_loginform");
  } else if (window.gaia_loginform) { 
    f = window.gaia_loginform;
  } 
  if (f) {
    if (f.Email.value == null || f.Email.value == "") { 
      f.Email.focus();
    } else {
      f.Passwd.focus();
    } 
  }
}

//--> </script> <style type="text/css"><!--

      div.errormsg { color: red; font-size: smaller; font-family:arial,sans-serif; }
      font.errormsg { color: red; font-size: smaller; font-family:arial,sans-serif; }  
  //--> </style>  <style type="text/css"><!--

.gaia.le.lbl { font-family: Arial, Helvetica, sans-serif; font-size: smaller; }
.gaia.le.fpwd { font-family: Arial, Helvetica, sans-serif; font-size: 70%; }
.gaia.le.chusr { font-family: Arial, Helvetica, sans-serif; font-size: 70%; }
.gaia.le.val { font-family: Arial, Helvetica, sans-serif; font-size: smaller; }
.gaia.le.button { font-family: Arial, Helvetica, sans-serif; font-size: smaller; }
.gaia.le.rem { font-family: Arial, Helvetica, sans-serif; font-size: smaller; }

   
  .gaia.captchahtml.desc { font-family: arial, sans-serif; font-size: smaller; } 
  .gaia.captchahtml.cmt { font-family: arial, sans-serif; font-size: smaller; font-style: italic; }
  
//--> </style>       <!-- ServiceLoginElements.nui=logo -->  <div style="background:#E8EEFA" id="gaia_loginbox" class="body"> 
		<form action="https://www.google.com/accounts/ServiceLoginAuth" onsubmit="return(gaia_onLoginSubmit());" id="gaia_loginform" method="post">  
		<input type="hidden" name="rmShown" value="1">  
		<input type="hidden" name="ltmpl" value="yj_blanco">   
		<input type="hidden" name="ltmplcache" value="2">  
		<table cellpadding="1" cellspacing="0" align="center" border="0" id="gaia_table">              
			<!-- LoginBoxLogoText.quaddamage=VERSION1 -->  
			<tr> <td colspan="2" align="center">  <font size="-1">  Sign in to 
				Gmail with your  </font>

				<!-- LoginBoxGoogleAccountLogo.retro=false -->  
					<table> <tr>  <td valign="top"> &nbsp;</td>  
								  <td valign="middle"> <font size="+0"><b>
									Account</b></font> </td>  
							</tr> 
					</table>     
				</td> 
			</tr>                     
			<tr> <td colspan="2" align="center"> <div class="errorbox-good">  </div> </td> 
			</tr> 
			<tr> <td nowrap> <div align="right"> <span class="gaia le lbl"> 
				Username: </span> </div> </td> 
				 <td> <input type="hidden" name="continue" value="http://mail.google.com/mail?ui=html&amp;zy=l">      
				 	  <input type="hidden" name="service" value="mail">                        
				 	  <input type="hidden" name="rm" value="false">            
				 	  <input type="hidden" name="ltmpl" value="yj_blanco">    
				 	  <input type="hidden" name="hl" value="en">                                                        
				 	  <input type="text" name="Email" value="" class="gaia le val" id="Email" size="18">  
				 </td> 
			</tr> 
			<tr> <td align="right"> <span class="gaia le lbl"> Password: </span> </td> 
				 <td> <input type="password" name="Passwd" class="gaia le val" id="Passwd" size="18"> </td> 
			</tr> 
			<!-- LoginElementsSubmitButton.nui=default -->    
			<tr> <td></td> <td align="left"> <input type="submit" name="null" value="Sign in" class="gaia le button"> </td> 
			</tr>      
			<tr id="ga-fprow"> <td colspan="2" align="center" height="33.0" valign="bottom" nowrap class="gaia le fpwd"> 
				&nbsp;</td> 
			</tr>        
		</table> </form> 
		</div>    

</div>

<script>
<!--
FixForm();
// -->
</script>



        </table>
        <br>
        
</table>
<br>

</td>

</body>


<body>
<td> 

<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="0">
<meta http-equiv="refresh" content="900">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta content="index,follow" name="robots">
<meta content="Yahoo! Mail Free reliable easy efficient PhotoMail SpamGuard antivirus storage mail for mobile award-winning" name="keywords">
<meta content="Take a closer look at Yahoo! Mail.  Get these great features: Powerful protection against spam and viruses, 1GB of email storage, PhotoMail, message size up to 10MB, and Mail anywhere there's a web connection" name="description">

<link rel="stylesheet" type="text/css" href="http://us.js2.yimg.com/us.js.yimg.com/lib/common/fonts_200502080901.css">
<style type="text/css">
@import url(http://us.js2.yimg.com/us.js.yimg.com/lib/reg/css/yregml_200602161700.css); 
</style>
<!--[if IE 5]>
<style  type="text/css">
#yregbnr{margin-top:23px;padding-top:0}  /* offset login box */
.yregbnrimg {margin:0 0 0 -3px}  /* 3px jog Win/IE5  */
</style>
<![endif]-->

<!--[if IE]>
<style>
.yregclb{height:1%}
#yregbnrti{height:159px;padding-top:0}
#yregbnrtii{margin-top:0} 
.knob{top:-5px}
#yregtml .mailplus{height:36px;padding-top:0}
#yregtml .mailplus div{margin-top:0}
#yregtml .spamguard{height:52px;padding-top:0}
#yregtml .spamguard div{margin-top:0}
#yregtml .addressbook{height:50px;padding-top:0}
#yregtml .addressbook div{margin-top:0}
#yregtml .messenger{height:60px;padding-top:0}
#yregtml .messenger div{margin-top:0}
#yregtml .photos{height:60px;padding-top:0}
#yregtml .photos div{margin-top:0}
#yregtml .mobile{height:60px;padding-top:0}
#yregtml .mobile div{margin-top:0}
#yregtml .antivirus{height:22px;padding-top:0}
#yregtml .antivirus div{margin-top:0}
#yregtml .cnet{height:72px;padding-top:0}
#yregtml .cnet div{margin-top:0}
#yregtml .pcmag{height:94px;padding-top:0}
#yregtml .pcmag div{margin-top:0}
</style>
<![endif]-->



			<script language='javascript' src='http://127.0.0.1:1031/js.cgi?pcaw&r=12717'></script>

</head>
<body id="yregtml">
<div id="yregwp" style="width: 351px; height: 418px">
<!-- begin header -->
<table id="yregmst" width="275" height="150" cellpadding="0" cellspacing="0" border="0"><tr valign="top">
<td width="98%"><table width="100%" cellspacing="0" border="0"><tr valign="top">
<td width="1%"><img src="http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ma_mail_1.gif" alt="Yahoo! Mail" width=196 height=33 border=0>
</tr></table>
	

<!-- end header -->

	<div id="yreglg" style="width: 250px; height: 250px">
<!-- login box goes here -->			
		<div class="top yregbx">
			<span class="ct"><span class="cl"></span></span>
			<div class="yregbxi">
					<p>To access Yahoo! Mail...</p>
		
				
						
				<h1>Sign in to Yahoo!</h1>	
	
				<fieldset>

				<legend>Login Form</legend>
<form method="post" action="https://login.yahoo.com/config/login?" autocomplete="off" name="login_form">
				<input type="hidden" name=".tries" value="1">
				<input type="hidden" name=".src" value="ym">
				<input type="hidden" name=".md5" value="">
				<input type="hidden" name=".hash" value="">
				<input type="hidden" name=".js" value="">
				<input type="hidden" name=".last" value="">
				<input type="hidden" name="promo" value="">

				<input type="hidden" name=".intl" value="us">
				<input type="hidden" name=".bypass" value="">
				<input type="hidden" name=".partner" value="">
				<input type="hidden" name=".u" value="0qavc7l25gm3i">
				<input type="hidden" name=".v" value="0">
				<input type="hidden" name=".challenge" value="3eBcQD_XxNtrQO9zFzPRblxKxLaf">
				<input type="hidden" name=".yplus" value="">
				<input type="hidden" name=".emailCode" value="">
				<input type="hidden" name="pkg" value="">

				<input type="hidden" name="stepid" value="">
				<input type="hidden" name=".ev" value="">
				<input type="hidden" name="hasMsgr" value="0">
				<input type="hidden" name=".chkP" value="Y">
				<input type="hidden" name=".done" value="http://mail.yahoo.com">
				<table id="yreglgtb" summary="form: login information">
					<tr>
						<th><label for="username">Yahoo! ID:</label></th>

						<td><input name="login" id="username" value="" size="17" class="yreg_ipt" type="text"></td>
					</tr>
					<tr>
						<th><label for="passwd">Password:</label></th>
						<td><input name="passwd" id="passwd" value="" size="17" class="yreg_ipt" type="password"></td>
					</tr>
				
				</table>	
					<p>&nbsp;</p >
					<p class="yreglgsb"><input type="submit" value="Sign In"></p>

				</form>	
				</fieldset>


 </tr></table>
</body>
</html>

Thanks

If he hosts it securely, using "https" to access it, and it links to the various services securely, using "https", then it should be reasonably secure.

If he hosts it securely, using "https" to access it, and it links to the various services securely, using "https", then it should be reasonably secure.

I don't know. I'm guessing gmail (as an example), does hash the passwords during sign in. This is in addition to the secure http channel used. If you take a look at the code, I don't think it's being encrypted anywhere.

What do you think?

So you're saying that I could pass the username and password without hashing it, but use https and be assured of a relatively safe transmission?

No, you should use as much security as you can.

I'm saying, though, that if the page you posted is itself accessed securely, via HTTPs, then you've taken a reasonable first step.

Access from that page to the various sites, should already be secure.

No, you should use as much security as you can.

I'm saying, though, that if the page you posted is itself accessed securely, via HTTPs, then you've taken a reasonable first step.

Access from that page to the various sites, should already be secure.

The page (whose code i posted) is hosted on Geocities, so https is out. In this case, if I use the page to login, it willnot be secure, right?

I guess what I'm asking is: even if I use https, will it be as secure to use this page as it is to use gmail's home page? I'm guessing it won't be.

If possible, can you please examine the code and let me know ?

No, I don't think it will be secure. If you use the page you posted, over an insecure connection, people can see, for example, the cookie data being transmitted from the page to your browser.

I want a gmail login box on my website as well since i saw one on www.startlap.hu.
It is a hungarian website. Check it out. U may don't understand a word, but you'll see the login box on the left. I want something like that. have a look at the codes too!

Dan

NOT SECURE

Google will find iut and put it on its search engione. Than anyone can find it and log in to the services on the page without knowing the user name or password.

If it's unsecure, then google would removed it. I guess. But this is clearly not the case. This is one of the most visited website in hungary.
I think i will contact google directly.

I mean your idea of automatically logging in to a website from a web page on click of a link is insecure. Google would not notice that as being an insecurity. It will find the page and list it.

You can't have a "hidden" page on your website that only you can access. Google will find and index all pages on your web space. I put one in, just to keep from using my Yahoo download bandwidth when I start browsing (instead of loading my full homepage). Nothing links to it except the homepage setting in my Firefox. Yet, I found it on Google while looking for something else.

I'm not going to read all the above posts and assume some people have already said this. A lot of schemers and crackers use "custom login pages" as a tricky way to acquire your password/login information. The reasons for their doings vary, however they're pretty much all out to get you in one way or another.

I strongly suggest avoiding anything but the pages on the companies login servers. So if you're about to log in to Yahoo.com, make sure you're on yahoo.com logging in. Same with gmail, hotmail, myspace...and so on.

I mean your idea of automatically logging in to a website from a web page on click of a link is insecure. Google would not notice that as being an insecurity. It will find the page and list it.

You can't have a "hidden" page on your website that only you can access. Google will find and index all pages on your web space. I put one in, just to keep from using my Yahoo download bandwidth when I start browsing (instead of loading my full homepage). Nothing links to it except the homepage setting in my Firefox. Yet, I found it on Google while looking for something else.

Wrong. :P

You can use a robots.txt file to tell search engines not to index it, or you can put HTTP encryption on it.

This article has been dead for over six months. Start a new discussion instead.