StrongWebmail CEO's mail account hacked via XSS

A Webmail service that touts itself as hack-proof and offered $10,000 to anyone who could break into the CEO's e-mail has lost the challenge.A trio of hackers successfully compromised the e-mail using persistent cross-site scripting (XSS) vulnerability and are now claiming the bounty.

A Webmail service that touts itself as hack-proof and offered $10,000 to anyone who could break into the CEO's e-mail has lost the challenge.

A trio of hackers successfully compromised the e-mail using persistent cross-site scripting (XSS) vulnerability and are now claiming the bounty.

[ SEE: Email service provider: 'Hack into our CEO's email, win $10k' ]

The hacking team of Aviv Raff, Lance James and Mike Bailey set up the attack by sending an e-mail to the company's CEO Darren Berkovitz.   When he opened the e-mail, the team exploited an XSS flaw to take control of the account.

They were able to follow the contest rules and record a calendar entry for one of Berkovitz's task that's due on June 26.

Robert McMillan reports that Berkowitz confirmed the authenticity of the calendar entry but StrongWebmail has not yet confirmed the compromise of pay the promised bounty.

The researchers are not sharing details of the vulnerability.  However, James has been posting screenshots of StrongWebmail's XSS problems on Twitter.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All