Hackers Crack 'Unhackable' E-mail Account, Win $10,000
StrongWebmail launched a contest earlier this month urging hackers to attempt to crack into its CEO's StrongWebmail account. The company was so confident it put a cool $10,000 up for the first one to successfully access the account. To make the break a little easier, the company even provided the CEO's username and password.
StrongWebmail works like this: To get into an account, the account owner must receive a verification call on his or her phone after putting in his or her username and password. That call -- which only goes to the account owner's phone -- provides a code to gain access into the e-mail account. The phone authentication is supposed to be the strongest line of defense. Essentially, if someone tries to log into a user's account without permission, he or she won't receive the phone call with the code. Also, if someone is trying to fraudulently log into an account, the account's owner will receive an authentication phone call.
Additionally, account owners only need to receive the call when they are logged in from an unrecognized computer. When using a home or work computer, a cookie can be stored so no verification call is required.
Sounds pretty tight, right?
But this week, ethical hacker Lance James and his team of security researchers took the prize, cracking into the CEO's e-mail using an XSS script that took advantage of a vulnerability in StrongWebmail's Webmail vendor's program. James and company found a loophole.
While StrongWebmail will award James and his crew the $10,000 as promised, the company contends that its e-mail verification callback service was not compromised.
"In fact, Lance and his team were forced to find a way around the phone authentication," the company said in a statement. "We are working with our e-mail provider to solve this vulnerability and ensure that the back-end e-mail software is more secure. We remain confident that our authentication solution -- sending a verification call or text message to a person's cell phone "- is the best front-end protection for user names and passwords."
StrongWebmail, however, said once the vulnerability is fixed, it will unveil a new contest.
"We won't rest until we have proven that telephone-based authentication is the most secure form of username/password protection available," the company said.