
Hackers claim $10,000 prize for breaking into StrongWebmail - markbao
http://www.thestandard.com/news/2009/06/04/hackers-claim-10-000-prize-breaking-strongwebmail
======
qeorge
Wow, this is ridiculous:

[http://www2.telesign.com/login.php?loginerror=yes&user=\\...](http://www2.telesign.com/login.php?loginerror=yes&user=\\%22%3Cscript%3Ealert%28%27youre%20kidding%27%29%3C/script%3E)

Pathetic. (Telesign is behind StrongWebmail)

~~~
solutionyogi
IE 8 notices the XSS attack and tries to safeguard the user.

<http://imgur.com/FzN1f.png>

I verified that the latest version of Chrome and Firefox doesn't prevent the
XSS attack.

~~~
yan
Firefox+NoScript does

------
jgrahamc
IIRC the telephone authentication is not used if the machine has already been
used to log into the account. Since the company gave away the username and
password, all that would remain is to steal the cookie used to identify a
machine that has already logged in.

That could be done with an XSS attack using JavaScript to access the cookie
and divert it.

I considered doing this but would have needed to sign up for an account and
that required giving a credit card which I didn't want to do. Well done to the
people who made it work.

------
tdavis
_Hackers love a challenge. And more than that, they love cash._

Strike that, reverse it.

------
duskwuff
It doesn't matter how good the lock on your front door is if the hinges are on
the outside.

------
icey
FTA:

 _The IDG attack did not work initially, but succeeded when security software
called NoScript was disabled on the Firefox browser, running on a Windows XP
machine._

Oh my.

~~~
vaksel
Since NoScript just lets you block javascript, I'm guessing their powerful
security system was nothing more than a few lines of javascript code?

~~~
tybris
I'm guessing they used XSS to perform the man-in-the-middle attack and snatch
the username+password+security code, but initially it didn't work on the
journalist's computer because he had NoScript installed.

~~~
icey
On my first read, I thought it was just shoddy editing, but I think you're
definitely on the right track with this.

------
TallGuyShort
They claim it was to bring more attention to the issue, but you know they did
it show off. Well THAT backfired, didn't it?

------
tybris
So many people think they know security, so few people do.

~~~
dschobel
it's like any discipline, the best ones appreciate how little they truly know.

------
lilsis
I am really amused by how the 1337 h4x0r attack on Palin's e-mail always comes
up in these security articles

------
rdj
Since everyone is venturing a guess, here's mine:

They used XSS (cross site scripting) to send a mail to the target. When the
email is viewed a CSRF (cross site request forgery) is executed to add a new
device (phone) to the authenticated devices list. Next they log in, receive
the SMS on their phone that is now in the list...bam!

[Edit: I didn't mean XSS to send the email, I meant inject an XSS attack into
the email and send it. I'm thinking something like psuedo:
location.replace(/link/to/add/device/?phone=555-1212 ]

~~~
Xichekolas
As jgrahamc pointed out: <http://news.ycombinator.com/item?id=642280>

They probably sent the mail like you said, only used the CSRF to jack the
cookie, which would be easier than adding a phone to the list.

~~~
tptacek
Can you explain what the CSRF attack you're thinking of is? Maybe I'm not
reading you carefully enough (long day), but that doesn't sound like a CSRF to
me.

~~~
Xichekolas
Well my thoughts were something like:

Victim logs in using two-factor auth, gets a cookie which lets them back in
without phone in future.

Attacker sends email to victim with some kind of script embedded.

Victim views email, javascript runs and sends cookie info to attacker.

Attacker uses cookie to impersonate victim.

Of course, it's been a long day here too, and I'm so far from an expert on
this stuff it's entirely probable that what I just described doesn't make
sense/isn't possible.

Edit: Yeah, guess what I described is more XSS than CSRF

~~~
ErrantX
I suspect your on the right lines: but from the XSSExploits tweets I imagine
that what they _might_ well have done is ecxecute some JS to add a new
authorised phone number to the list (i.e. by just posting the new details).

That said they say they also needed a strongwebmail account for it to work so
I could be wrong - perhaps they just hijacked their authed session ID into the
ceo's (possibly??)

------
modoc
I wonder if they have a viable business after this. Seems like this could be a
deathblow right off the bat.

~~~
brl
Did they have a viable business to begin with? At least personally, I don't
spend too much time worrying that hackers are going to raid my gmail.

~~~
modoc
I've dealt with several companies, mostly banks, that use web based "secure
e-mail" systems (mostly they're just file storage systems). They won't e-mail
important documents to you since most people's e-mail clients use plain text
and/or people use weak passwords, etc...

In fact I recently received a four inch thick stack of documentation, APIs,
etc... via FedEx from a bank because they didn't trust my e-mail and I wasn't
on "the list" for their "secure e-mail" site (pay per account thing).

So yes, reasonable or not, secure or not, there is a business supplying
"secure" communications for businesses.

------
sucuri2
I believe they probably found a way to inject some data that wasn't properly
escaped.

When the CEO (or anyone else) would receive the alerts that someone was trying
to break into their accounts, the XSS or javascript (or whatever) would be
included in the alert and executed ... That's probably how they broke into it
and why it didn't work with noscript enabled.

------
weegee
glad to see the advertising program on HN working as planned

~~~
tlrobinson
Advertising that their application is incredibly insecure?

Even if they fix this, I wouldn't trust a company that claims their product is
very secure, offers a $10k reward for hacking it, then gets exploited in less
than a day by (most likely) the simple XSS vulnerability mentioned in another
comment.

~~~
miles
_"Advertising that their application is incredibly insecure?"_

No, weegee is referring to this story which was deleted as spam apparently:

<http://news.ycombinator.com/item?id=638494>

