Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Claim $10K Prize For StrongWebmail Breakin

Posted by Soulskill on from the worth-their-while dept.

alphadogg writes "Telesign, a provider of voice-based authentication software, challenged hackers to break into its StrongWebmail.com Web site late last week. The prize: $10,000. On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry. The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz's calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account. However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, 'if someone did it, we'll kind of put our heads down.'"

5 of 193 comments (clear)

  1. Hu? by ae1294 · · Score: 5, Insightful

    Wait I'm confused??? They expected the hackers to follow rules?

    1. Re:Hu? by MrMista_B · · Score: 5, Insightful

      Social engineering is an perfectly valid and entirely effective method of hacking.

    2. Re:Hu? by Anonymous Coward · · Score: 5, Insightful

      They never logged into the account themselves.

      It's an XSS exploit: StrongWebmail expended all their resources attempting to prevent people obtaining credentials and logging in. However, send an email with an appropriate piece of script to the target user, or provide a link targetting one of the iframes on the site, and all you have to do is sit back and wait for that to get loaded in the browser.

      The person doing the exploit never has to log in, all they need is to get some script on the page and wait for the target user to use their account as normal, which triggers the exploit right inside the browser. That's why noscript blocked the attempt on IDG - it wasn't the hackers running Firefox+noscript, it was the journalist asking them to replicate the attack.

      No secretaries, janitors or midnight exchanges of cash-filled envelopes required - they spent so much time decorating the front door that they forgot to check inside the constant stream of animal-shaped wooden statues delivered to the service entrance.

  2. Re:Telegraphing by Alethes · · Score: 5, Insightful

    Maybe I'm naive, but I figure StrongWebmail.com might be the best webmail site to use for security right now because they're in a heightened state of alert. Kinda like flying after right after 9/11.

  3. This is obvious by empesey · · Score: 5, Insightful

    If they idea is to determine whether it can be cracked, why are there rules? Whether they followed some self-imposed rules or not, it still indicates that there is a weak link in the armor.