14 DAY TRIAL // A while back, StrongWebmail, a new webmail service claiming to offer the most secure email accounts on the planet, launched a hacking competition awarding $10,000 to the first hacker to break into the account of the company's CEO. The company acknowledged defeat to a team of three security researchers, who achieved the task by exploiting a cross-site scripting vulnerability.
StrongWebmail employs a real-time, telephone-based verification system, developed by its parent company, Telesign, in order to validate authentication. When the contest was announced as part of its marketing efforts, the company aimed at proving the reliability of its two-factor authentication mechanism.
Security researchers Lance James of Secure Science Corporation, Mike Bailey and Aviv Raff took on the challenge, but went for an easier way than messing with the authentication system. "We simply took the easiest route. With the webmail app riddled with holes, we saw no point in bothering with the front end. Considering it took us less than a minute from registration to find the hole we used to compromise the app, can you blame us?," Mike Bailey writes on his blog.
Lance James explains the hack in more detail in an interview with FireHost. The attack vector was a cross-site scripting weakness in the From field of the webmail application, but social engineering was also required to exploit it. First, the researchers crafted an e-mail with an XSS exploit, which, when opened, gathered information from the compromised account, such as the task list required to win the contest, and submitted it to an external file controlled by them.
However, they were faced with a problem – they didn't know if the [email protected] account was actually being checked by anyone. Therefore, they devised a trick consisting of sending another e-mail to [email protected] claiming that they won the contest and that the details about the hack were in the e-mail sent to the CEO account, which contained the trap. As soon as someone went and opened it, they got owned.
Both Lance and Bailey said that they were expecting the company would downplay their method, which happened to some extent. "It is important to note that the frontend protection offered by StrongWebmail.com was not compromised. In fact, Lance and his team were forced to find a way around the phone authentication," the StrongWebmail team wrote in a blog post that has since been taken down*. Nevertheless, StrongWebmail officially recognized the trio of hackers as the winners of its contest.
The company announced plans for a new competition, which will, however, focus on breaching the telephone verification system provided by Telesign. "Assuming that the new rules aren't ridiculously restrictive, I'll probably participate in the next round – I've still got a few tricks up my sleeve," Mike Bailey, who otherwise feels that "These hacking contests, frankly, are a joke," notes.
"While some structure is necessary for any organized contest, the whole point of hacking is finding ways to bend rules and manipulate the system," the researcher goes on to explain. "I understand that StrongWebMail was created to demonstrate Telesign's 2-factor authentication system, but this is a perfect demonstration that security needs to be addressed holistically."
Apparently, Lance feels the same. "Contests do and don’t work. […] The hope is to open your eyes and realize security is about an ecosystem, not just one component. You can have a steel door, and have the windows open, and attackers can still get in," he tells FireHost.
Note: * The referenced blog post was still available in the Google cache at the time of writing this article.