SecPoint Logo

StrongWebmail hacked after challenge

StrongWebmail's first hacker challenge has finally been defeated by a couple of non-malicious "hackers", which prompted the U.S. startup to admit defeat, give away a contest prize worth $10,000, and plot an even better challenge in the future that should take full advantage of its security specialty—an advanced phone verification technology.

The company was so convinced of its pledge to provide the most secure webmail and calendar service in the entirety of the worldwide web that it challenged security researchers and well-meaning hackers alike to breach its supposedly impenetrable callback verification system and get its Chief Executive's schedule for the 26th of June.

At any rate, seasoned security specialists Mike Bailey, Aviv Raff, and Lance James made short work of the security system after discovering a cross-site scripting (XSS) bug on.

StrongWebmail's website that enabled registered members

spy around and procure details from other user accounts at will.

The web-based e-mail service utilizes a callback authentication approach developed by its parent company, Telesign.

In theory, it should have stopped a hacker from accessing an account even if he were able to somehow steal its login credentials.

He'll have to gain access to the phone linked to the account as well as steal the login information in order to infiltrate his target's inbox and other account contents.

Users accessing an originally unused PC are prompted to input a code sent to a registered phone.

Despite the successful infiltration of Raff, Bailey, and James into the StrongWebmail servers, the webmail startup insists that the above method is a solid approach against hacker attacks. Ergo, it's even thinking about instituting a second hacker challenge while confessing that the security researcher trio defeated its systems quite fairly... for now.

The company notes that, first and foremost, the front-end shield they were using was never compromised and James and co. was "forced" to use another route to breach their defenses.

Its team of developers is currently working alongside its e-mail provider to resolve this vulnerability issue and guarantee that their e-mail software is secure from the inside-out.

The idea of another hacking challenge won't really prove anything and, at worst, will lead to further exposure of the webmail's defenses that are not related to its much ballyhooed callback verification process.

What's the point in reinforcing the front door when intruders could simply chip away at the wall, or go through the chimney, or break the window? After all, the whole point of a security breach is to find programming holes that developers have overlooked.