X
Business
Home Business Executive

StrongWebmail CEO's mail account hacked via XSS

A Webmail service that touts itself as hack-proof and offered $10,000 to anyone who could break into the CEO's e-mail has lost the challenge.A trio of hackers successfully compromised the e-mail using persistent cross-site scripting (XSS) vulnerability and are now claiming the bounty.
Written by Ryan Naraine, Contributor

strongwebmaillogo.png
A Webmail service that touts itself as hack-proof and offered $10,000 to anyone who could break into the CEO's e-mail has lost the challenge.

A trio of hackers successfully compromised the e-mail using persistent cross-site scripting (XSS) vulnerability and are now claiming the bounty.

[ SEE: Email service provider: 'Hack into our CEO's email, win $10k' ]

The hacking team of Aviv Raff, Lance James and Mike Bailey set up the attack by sending an e-mail to the company's CEO Darren Berkovitz.   When he opened the e-mail, the team exploited an XSS flaw to take control of the account.

They were able to follow the contest rules and record a calendar entry for one of Berkovitz's task that's due on June 26.

Robert McMillan reports that Berkowitz confirmed the authenticity of the calendar entry but StrongWebmail has not yet confirmed the compromise of pay the promised bounty.

The researchers are not sharing details of the vulnerability.  However, James has been posting screenshots of StrongWebmail's XSS problems on Twitter.

Editorial standards
Show Comments

Related

Linus Torvalds and Dirk Hohndel, Open Source Summit North America 2024

Linus Torvalds takes on evil developers, hardware errors and 'hilarious' AI hype

penguin holding an apple on Sonoma background

6 features I wish MacOS would copy from Linux

Placeholder product image alt text

The best AI image generators to try right now