StrongWebmail launched a contest earlier this month urging hackers to attempt to crack into its CEO's StrongWebmail account. The company was so confident it put a cool $10,000 up for the first one to successfully access the account. To make the break a little easier, the company even provided the CEO's username and password.
StrongWebmail works like this: To get into an account, the account owner must receive a verification call on his or her phone after putting in his or her username and password. That call -- which only goes to the account owner's phone -- provides a code to gain access into the e-mail account. The phone authentication is supposed to be the strongest line of defense. Essentially, if someone tries to log into a user's account without permission, he or she won't receive the phone call with the code. Also, if someone is trying to fraudulently log into an account, the account's owner will receive an authentication phone call.
Additionally, account owners only need to receive the call when they are logged in from an unrecognized computer. When using a home or work computer, a cookie can be stored so no verification call is required.
Sounds pretty tight, right?
But this week, ethical hacker Lance James and his team of security researchers took the prize, cracking into the CEO's e-mail using an XSS script that took advantage of a vulnerability in StrongWebmail's Webmail vendor's program. James and company found a loophole.
While StrongWebmail will award James and his crew the $10,000 as promised, the company contends that its e-mail verification callback service was not compromised.
"In fact, Lance and his team were forced to find a way around the phone authentication," the company said in a statement. "We are working with our e-mail provider to solve this vulnerability and ensure that the back-end e-mail software is more secure. We remain confident that our authentication solution -- sending a verification call or text message to a person's cell phone "- is the best front-end protection for user names and passwords."
StrongWebmail, however, said once the vulnerability is fixed, it will unveil a new contest.
"We won't rest until we have proven that telephone-based authentication is the most secure form of username/password protection available," the company said.
- Juniper Honors 12 Americas Partners
- Facebook And Four More Web Sites We Love To Hate
- Cisco Honors Top Partners During 2010 Partner Summit
- HP Salutes Top Partners At APC 2010 Award Show
- Upclose And Personal With AMD And friends
- Will Oracle's Phillips' Affair Revelation Be A Distraction?
- Apple, Microsoft Unlikely Allies Against Google
- HP-Microsoft Cloud Partnership Needs To Show Us The Goods
- Blog: It's Time For A Cybercrime Public Service Announcement
- Nortel Sell-Off Continues: Ethernet Business To Ciena?
- Want To Deploy Exchange 2007 SP2 In A Server 2008 R2 Domain? Sorry
- Apple Improves iTunes 9 With Syncing, Visual Enhancements
- Oracle Ad Refutes Sun Hardware Fears
- U.S. Copyright Chief Rips Google Book Deal In Testimony
- Apple Slashes iPod Price Tags
- Price Is Right? Asus To Launch Low-Cost E-Reader
- Microsoft Xbox 360 Consoles Fail More Often Than Wii, PS3
- Privacy Group To Congress: Stop Online Advertisers In Their Tracks
- Microsoft, Intel Tout Their Collaboration On Windows 7
- Tech Data Adds Integration Services With New Center
| • |
| • |
| • |
| • |
| • |
| • |
| • |
|
|
