StrongWebmail CEO's mail account hacked via XSS

StrongWebmail CEO's mail account hacked via XSS

Summary: A Webmail service that touts itself as hack-proof and offered $10,000 to anyone who could break into the CEO's e-mail has lost the challenge.A trio of hackers successfully compromised the e-mail using persistent cross-site scripting (XSS) vulnerability and are now claiming the bounty.

SHARE:
TOPICS: CXO, Collaboration
25

A Webmail service that touts itself as hack-proof and offered $10,000 to anyone who could break into the CEO's e-mail has lost the challenge.

A trio of hackers successfully compromised the e-mail using persistent cross-site scripting (XSS) vulnerability and are now claiming the bounty.

[ SEE: Email service provider: 'Hack into our CEO's email, win $10k' ]

The hacking team of Aviv Raff, Lance James and Mike Bailey set up the attack by sending an e-mail to the company's CEO Darren Berkovitz.   When he opened the e-mail, the team exploited an XSS flaw to take control of the account.

They were able to follow the contest rules and record a calendar entry for one of Berkovitz's task that's due on June 26.

Robert McMillan reports that Berkowitz confirmed the authenticity of the calendar entry but StrongWebmail has not yet confirmed the compromise of pay the promised bounty.

The researchers are not sharing details of the vulnerability.  However, James has been posting screenshots of StrongWebmail's XSS problems on Twitter.

Topics: CXO, Collaboration

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

25 comments
Log in or register to join the discussion
  • XSS is one way to do it..

    But the telephone authentication is still a flawed 2-factor authentication method.



    Well, I was really hoping I'd get to it before Lance did, my hat's off to you brother. I would have just attacked it form the phone phreaking side, we know the CEO's phone # for authentication ends in 5930, I had people scanning 310-xxx-5930 all night last night for me. Once we found the phone number all we would have had to done was make one phone call to the telco, temporarily forward the line to our phone number, intercept the code and log in, no XSS or computer skillz needed =)
    lucky225
    • How?

      I don't know much about phones, or half of what yur saying. How would
      knowing the CEO's phone # grant yu access?
      mathcreative
    • Well

      I work for a mobile phone network and there is no way in hell that we would temporarily forward the number!
      For a start we would want to speak to the account holder and beleive me we could check which number you would call in on.

      Secondaly on a GSM netqwork it would involve sms messages being sent to the sim so you would need zaccess to the phone anyway.

      Your solution only works assuming the telco are stupid or careless.
      jdbukis
    • Ummm..

      "I would have just attacked it form the phone phreaking side, we know the CEO's phone # for authentication ends in 5930, I had people scanning 310-xxx-5930 all night last night for me"

      Unless you have an inside person at the phone company, getting someone else's line forwarded to yours isn't that likely. Even if you did manage it, will the lack of computer skills, or as you mispelled it, skillz, how would you intercept such codes?

      Nice try. Oh and the name droping like you know them personally... how lame.
      ShadowGIATL
      • he is just a wanna be hack

        has no real experience, and as he put it no
        "skillz" either. And if he new someone in the
        telco, they would likely not risk their job for
        them, not to mention criminal charges.
        xXSpeedzXx
  • Fail!

    Big fail.
    Daniel Breslauer
  • RE: StrongWebmail CEO's mail account hacked via XSS

    Because calling up the phone company and socialing Customer Service into forwarding a phone takes no skill whatsoever, or if you're in the know you can just call up the Switch the phone is served on and have the switchman do it, or call the telco NOC and have them do it. All you gotta do is talk to someone who has the access to do the things you want them to do and then convince them to do it.
    lucky225
    • DPA

      In the UK the data protection act means we could only do this with explicit permission of the account holder and we would need to know which number he wanted to switch it to and again it would require sending sms messages to the handheld so it would likely arise suspision quickly too, not mention a possible jail sentance for all involved (including the operator).
      Its not as simple as switching a plug on a switch board, not on a GSM network anyway.
      jdbukis
    • Your premise fails.

      Most telecom's have data privacy rules in
      place, for reasons such as "if we don't verify
      the identity of the caller, then we can get
      sued."

      If I call my tel co, and tell them I want voice
      mail they are going to ask me to verify a whole
      bunch of information. Such as my Social
      security #, Name and Address, date of birth,
      and maybe even a secret question.

      Now in a corporation level, call forwarding and
      even call management, may be handled in house,
      like it is in my place of work. and even so if
      the phone is managed from the tel co, in such
      case you would have to know who the person is
      that is Authorized for making said changes, and
      what kind of information the telcom's require
      to make any such changes.

      Likely what would happen is you would get
      reported to the police. Which would make you
      one of the dumbest hacker's of all time.
      xXSpeedzXx
  • RE: StrongWebmail CEO's mail account hacked via XSS

    I guess they gave it away on their website post.

    http://www.strongwebmail.com/news/secure-web-mail/break-into-my-email-get-10000-here-is-my-username-and-password/

    "When logging in from a home or work computer, a cookie can be stored so that no verification call is required.".

    Verdict: FAIL!
    elfman256
    • rofl

      Yeah so the cookie can be spoofed! they should change there name to strongwebfail!
      jdbukis
  • Am I good or what:

    http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=65201&messageID=1216822
    ye
  • RE: StrongWebmail CEO's mail account hacked via XSS

    Cheap penetration testing! To hire a security firm to do the same test would be more expensive than $10K. This way, you get the best hackers in the world for a cheap price.

    Way to go StrongWebmail. Fix the vulnerability, keep the reward system in place and improve your security faster and for less money than your competitors.
    mhanratty
    • Correct

      A hired security firm will do "in lab" testing with limited resources but this method is much better since this is a "real world" which you have more people and resources to hack/crack you with.
      phatkat
  • Pride Goes Before the Fall

    http://bible.cc/proverbs/16-18.htm

    This stunt reminded me of the guy who displayed his Social Security number everywhere and defied anyone to steal his identity. At least this was just an e-mail account that they purposely set up as a target, so no company secrets were at risk.
    MichP
  • Why again do we need XSS in a "secure" mail environment?


    Most of the vulnerabilities today are a direct result of some kind of eye candy. Maybe it's time for a rethink....
    croberts
    • eh

      XSS isn't a feature. It means cross site scripting.
      isulzer
  • This is why security is layered.

    . . . and they get through like most hackers do: Instead of going through the most difficult, obvious way, they sneak into a back door.

    In this case, it appears they came through the most obvious route that most hackers use - through an attachment (or directly through the HTML, since email clients usually include HTML support).

    The anti-virus didn't detect it because anti-virus software is largely a reactive not a proactive measure, and this code was likely new code written strictly for this purpose.

    If you're targeted, you're pretty much guaranteed to get hacked. If you're aware that you're getting hacked, your best bet is to disconnect the network.

    This is why security should be layered: Because there are so many channels available to hack, having only one thing protecting you doesn't make sense.

    This is something that will, for example, bypass a firewall.
    CobraA1
  • They went into the BIOS

    I ain't kidding hackers are not smart,but they are faster and invisible.Where does anybody learn to write a script file?Not at der university I can assure you.
    BALTHOR
  • RE: StrongWebmail CEO's mail account hacked via XSS

    I've temp forwarded cellphones at *ALL* major carriers. It does not take much to verify you are the "account holder". Last 4 of someone's SSN isn't very hard to obtain, and I've socialed SEVERAL accounts without SSN simply by asking what my balance is and then small talking the rep until they forget they haven't verified who I am and then havin the rep add a password to the account and calling back in to do what I want by verifying the password I just added. ALL telcos are stupid, social engineering can not be patched and reps are not properly trained. Just because you might not do it for me doesn't mean some other rep won't.
    lucky225