StrongWebMail Bounty Attack – Caveat Emptor
StrongWebMail has received publicity for the $10,000 bounty that the company’s chief executive offered if someone could break into his web mail account.The executive, Darren Berkovitz, posted his StrongWebMail username and password on the company web site.
IDG is reporting that three information security professionals are now claiming that they were able to pwn (“own”) Mr. Berkovitz’s StrongWebMail account. Although their exact method has not been revealed, IDG is reporting that the StrongWebMail site was vulnerable to cross site scripting attacks.
The Data Security Podcast had a conversation with Darren Berkovitz on Friday June 5th.
He was not yet ready to talk about the StrongWebMail bounty attack. But, he agreed to do so in the coming week. That conversation will be posted on June 15th, in Episode 57 of the Data Security Podcast.
He did talk with us on Friday about his service in general, and about the challenges of market adoption of multi-factor authentication.
StrongWebMail’s parent company, Telesign is a provider a phone focused multi-factor authenticaion services. The service allows owners of web sites to validate users with a phone call to end users. That call can contains a validation code, for use on the web site, in addition to a username/password pair. StrongWebMail is, in some ways, a proof of concept that is designed by Telesign to demonstrate the acceptance of multi-factor authentication for the world’s most popular web application: web mail.
According to Mr. Berkovitz, StrongWebMail uses an off-the-shelf web mail application once users get pased validation.
And, that may be the chink in the armour that security researchers used. Rather than attacking the multi-factor element, IDG reports that the researchers created their own StrongWebMail accounts. They then used those accounts to launch attacks that allowed them “hop over” from one user account to another, including, allegedly, hopping over to Mr. Burkovitz’s account.
If they waited for Mr. Berkovitz to log in, and then hopped over to his account, that could be a method to gain access to his account. If this indeed isthe nature of the bounty attack, then it would re-emphasis the important of securing the code of web appliations. The best multi-factor systems cannot compensate for weaknesses in a web application.
So, if we are on the right track, then this is not a story about the weaknesses of a two factor authenticaion system. This may simply be another example of the importance of security in web-based, or so-called cloud computing, applications. That even includes web sites that assure customers that “our site is secure,” or even when the site has names, icons, or other technolgies associated with information security in general.