14 DAY TRIAL // Strong Webmail, a webmail service featuring enhanced security, has recently challenged hackers to break into its CEO's e-mail account in order to win $10,000. It took a team of well-known security researchers under two weeks to succeed, through cross-site scripting.
The hacking contest is part of a marketing campaign in which the company claims that it offers "The most secure email accounts on the planet." This claim is based on the fact that this webmail service uses a phone verification system to add another layer of security to the authentication process. "We have it, and no one else does," the company notes.
When someone signs up for an account with Strong Webmail – pricing plans start at $4.99 per month – he is asked to provide one or more phone numbers at which he can be reached. The default behavior is that when someone attempts to log in with a username and password, he will be prompted to choose from one of the phone numbers provided at sign-up in order to receive a confirmation call. The authentication process will not continue if the call goes unanswered.
"Break into my email: get $10,000. Here is my username and password," announced Strong Webmail's CEO, Darren Berkovitz, on the company's official blog. In order to win, the potential hackers were required to extract "full text of our CEO's task due on 6/26/2009" and "full text of this task's notes." This information could only be obtained by accessing the Task List inside the account.
Reputed researchers Aviv Raff, Lance James and Mike Bailey teamed up and got to work. The three signed-up for a Strong Webmail account of their own poked around at the code of the webmail interface, only to discover a cross-site scripting weakness.
This allowed them to devise a persistent XSS attack by sending an e-mail with a specially crafted subject to Berkovitz. Then it was only a matter of waiting for him to open the e-mail message. Once he did, the account was compromised and the researchers were able to extract the information they needed.
Their entry has not yet been validated by the Strong Webmail staff and since the contest rules do not allow challengers to disclose details of the claimed hacks until they are confirmed, there is not a lot of info available about the attack. However, Lance James has made some screenshots, believed to be related to this vulnerability, and available on Twitpic.