If it’s on the web; its unsecure. Strong web mail CEO learned this lesson the hard way after hackers broke into his email account. StrongWebmail challenged hackers to break into the company’s Web mail system and promised to pay out a US$10,000 prize. Hackers used XSS (cross-site scripting) attack techniques to break the account and won the contest. The contest was announced last week to promote their voice-based identification technology. They were so confident that they even published the user name and password online.
“The most secure email accounts on the planet” confirmed the hacking on its website.
Lance James and a team of hackers – already known for finding vulnerabilities in the McAfee website, Twitter, and various other prominent web properties – found a weakness in the email software StrongWebmail.com licenses from a third party. Using this vulnerability, they were able to obtain info from the CEO’s email account and win the contest.
http://www.strongwebmail.com/secure/email/contests/hack_statement
Contest rules prevent the researchers from disclosing how they performed their attack, but they were also able to compromise a test StrongWebmail account set up by the IDG news service. The IDG attack did not work initially, but succeeded when security software called NoScript was disabled on the Firefox browser, running on a Windows XP machine.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.