Feeds

Hackers scalp StrongWebmail to claim cash prize

$10,000 for successful schedule snoop

High performance access to file storage

Ethical hackers are claiming a $10,000 prize for successfully breaking into the webmail account of the chief exec of StrongWebmail after the firm issued a "hack us if you can" challenge.

StrongWebMail runs a callback verification system so that, in theory, even if someone obtains a user's login details they can't read email from the account without also having access to the phone associated with a particular account. Logins into StrongWebMail from previously unused machines need this secondary form of confirmation.

The US start-up was so confident of its claims that its Darren Berkovitz published his account name and password in laying down a $10K challenge to hackers to break into his account and find out his schedule for 26 June. StrongWebMail's features include calendar and to-do lists as well as webmail.

Security researchers Lance James, Aviv Raff and Mike Bailey obtained the information and claimed their prize on Thursday. StrongWebMail confirmed that the data obtained was correct, but are holding off in paying out the prize because they are yet to be convinced the Ruff and co stuck to competition rules. The rules prohibit the use of social engineering trickery (such as tricking or paying an insider to hand over account access).

The group of researchers maintain they played fair and used a cross-site scripting (XSS) vulnerability to access the target account after first registering an account of their own with the service. The trio are withholding details out of concerns the same approach might be used to access other accounts without permission, and in line with competition rules.

James, Raff and Bailey demonstrated their attack on a test account set up with StrongWebMail by IDG. But the compromise was possible only after the NoScript extension on the Firefox browser of the XP machine used in the test was disabled, IDG reports.

Hacking competitions such as the one established by StrongWebMail might make for good publicity but they don't prove much. Even if no one wins a particular challenge it doesn't follow that a system is unhackable - just that it wasn't broken this time around. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.