On MovieTome: Why you didn't see Shatner in TREK
BNET Business Network:
BNET
TechRepublic
ZDNet

June 4th, 2009

StrongWebmail CEO's mail account hacked via XSS

Posted by Ryan Naraine @ 2:16 pm

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Exploit code, Hackers, Passwords, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research, Web 2.0, Web Applications, Zero-day attacks

Tags: XSS, CEO, E-mail, Online Communications, Ryan Naraine

A Webmail service that touts itself as hack-proof and offered $10,000 to anyone who could break into the CEO’s e-mail has lost the challenge.

A trio of hackers successfully compromised the e-mail using persistent cross-site scripting (XSS) vulnerability and are now claiming the bounty.

[ SEE: Email service provider: 'Hack into our CEO's email, win $10k' ]

The hacking team of Aviv Raff, Lance James and Mike Bailey set up the attack by sending an e-mail to the company’s CEO Darren Berkovitz.   When he opened the e-mail, the team exploited an XSS flaw to take control of the account.

They were able to follow the contest rules and record a calendar entry for one of Berkovitz’s task that’s due on June 26.

Robert McMillan reports that Berkowitz confirmed the authenticity of the calendar entry but StrongWebmail has not yet confirmed the compromise of pay the promised bounty.

The researchers are not sharing details of the vulnerability.  However, James has been posting screenshots of StrongWebmail’s XSS problems on Twitter.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 24 Talkback(s)
heh heh...
If you've EVER heard the intercept message saying "Your call may be recorded for quality assurance purposes" on a call to any given company, you should know that ANY call to that number IS going to be... (Read the rest)
Posted by: flared0ne Posted on: 06/08/09 You are currently: a Guest | | Terms of Use
XSS is one way to do it..  lucky225 | 06/04/09
How?  mathcreative | 06/04/09
Well  jdbukis@... | 06/05/09
Ummm..  ShadowGIATL | 06/05/09
he is just a wanna be hack  xXSpeedzXx | 06/05/09
Fail!  Daniel Breslauer | 06/04/09
RE: StrongWebmail CEO's mail account hacked via XSS  lucky225 | 06/04/09
DPA  jdbukis@... | 06/05/09
Your premise fails.  xXSpeedzXx | 06/05/09
RE: StrongWebmail CEO's mail account hacked via XSS  elfman256 | 06/04/09
rofl  jdbukis@... | 06/05/09
Am I good or what:  ye | 06/05/09
RE: StrongWebmail CEO's mail account hacked via XSS  mhanratty | 06/05/09
Correct  phatkat | 06/05/09
Pride Goes Before the Fall  MichP | 06/05/09
Why again do we need XSS in a "secure" mail environment?  croberts | 06/05/09
eh  isulzer | 06/05/09
This is why security is layered.  CobraA1 | 06/05/09
They went into the BIOS  BALTHOR | 06/05/09
RE: StrongWebmail CEO's mail account hacked via XSS  lucky225 | 06/07/09
RE: StrongWebmail CEO's mail account hacked via XSS  lucky225 | 06/07/09
RE: StrongWebmail CEO's mail account hacked via XSS  lucky225 | 06/07/09
RE: StrongWebmail CEO's mail account hacked via XSS  lucky225 | 06/07/09
heh heh...  flared0ne | 06/08/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here