Archive for June, 2009

Strongwebmail.com Contest Analysis

 

If you are in the security industry you probably heard that Strongwebmail.com held a “hacking” contest to promote their “unhackable” authenticated scheme.  In a nutshell, users authenticate with their user ID/password and are then sent via SMS or voice call a one-time numeric string.  Without the numeric string (or PIN), you don’t get in.  If you followed this story you are no doubt are aware that a couple of security researchers (Lance James, Aviv Raff ,and Mike Bailey) were able to bypass the webmail’s input/output validation on email messages and XSS’d the CEO, gaining access to his calendar and claiming the prize.

Some called the contest a failure; others called it a success as Strongwebmail.com had essentially received a $10,000 pen-test.  However I wouldn’t call it a very good pen-test as Strongwebmail.com still has a few remaining problems:

Directory indexing exposes CodeIgniter tree:

strongwebmail1

Directory of misc. scripts:

strongwebmail2

Paypal scripts:

strongwebmail5

Also, I found what appears to be their webmail interface that is reading my cookie as the user “ceo”:

strongwebmail4

Nothing on the interface worked but still, this is functionality that should not be exposed.

The lesson learned here is that if you are going to evaluate the security of an application, you need to start at the lower levels of the stack and go up.  In Strongwebmail.com’s case, they not only had weaknesses in the application layer (XSS), but on the platform as well.

New web site and blog

 

Late last week we launched our new web site.  The new site does a much better job at communicating what it is that we do.  The site was designed by My Design Studio (http://www.my-design-studio.com/).   They did an excellent job, was on time, and very professional.

Also, we started our blog.  This is where we’ll post our take on issues in information security as well as things we are tinkering with or researching.