Friday, June 5, 2009

That Was Stupid! $10k If You Can Hack This...Ooops!

Startup: We'll give you $10,000 if you can hack into our CEO's email.  Oops!  Already?

June 2nd:


A newly launched startup called StrongWebMail is aiming to add a new layer of secure authentication for its customers - phone verification prior to logging in and alert services for potential email compromises.


The company is in fact so confident in its approach that it’s currently offering $10,000 rewardto the person who breaks into the CEO’s email. To make things eveneasier, they have in fact provided his user name and password (CEO at StrongWebmail.com; Mustang85).

The catch? Aspired participants would have to figure out a way tointercept the 3 digit PIN send over SMS/phone call required for loggingin :

“StrongWebmail.com is offering $10,000 to the firstperson that breaks into our CEO’s email account…and to make thingseasier, we’re giving you his username and password.  There’s just onecatch: to access a StrongWebmail.com email account, the account’s ownermust receive a verification call on his pre-registered phone number. Soeven though you have our CEO’s username and password, you still havesome work to do because you don’t have access to his telephone.”

48 Hours Later... Ooops!
June 4th:

A Webmail service that touts itself as hack-proof and offered $10,000 to anyone who could break into the CEO’s e-mail has lost the challenge.

A trio of hackers successfully compromised the e-mail usingpersistent cross-site scripting (XSS) vulnerability and are nowclaiming the bounty.


[ SEE: Email service provider: 'Hack into our CEO's email, win $10k' ]


The hacking team of Aviv Raff, Lance James and Mike Bailey set upthe attack by sending an e-mail to the company’s CEO DarrenBerkovitz.   When he opened the e-mail, the team exploited an XSS flawto take control of the account.

They were able to follow the contest rules and record a calendar entry for one of Berkovitz’s task that’s due on June 26. Robert McMillan reports that Berkowitz confirmed the authenticity ofthe calendar entry but StrongWebmail has not yet confirmed thecompromise or pay the promised bounty.

The researchers are not sharing details of the vulnerability.  However, James has been posting screenshots of StrongWebmail’s XSS problems on Twitter.
Reblog this post [with Zemanta]

Disqus for ePayment News