If you are in the security industry you probably heard that Strongwebmail.com held a “hacking” contest to promote their “unhackable” authenticated scheme. In a nutshell, users authenticate with their user ID/password and are then sent via SMS or voice call a one-time numeric string. Without the numeric string (or PIN), you don’t get in. If you followed this story you are no doubt are aware that a couple of security researchers (Lance James, Aviv Raff ,and Mike Bailey) were able to bypass the webmail’s input/output validation on email messages and XSS’d the CEO, gaining access to his calendar and claiming the prize.
Some called the contest a failure; others called it a success as Strongwebmail.com had essentially received a $10,000 pen-test. However I wouldn’t call it a very good pen-test as Strongwebmail.com still has a few remaining problems:
Directory indexing exposes CodeIgniter tree:
Directory of misc. scripts:
Also, I found what appears to be their webmail interface that is reading my cookie as the user “ceo”:
Nothing on the interface worked but still, this is functionality that should not be exposed.
The lesson learned here is that if you are going to evaluate the security of an application, you need to start at the lower levels of the stack and go up. In Strongwebmail.com’s case, they not only had weaknesses in the application layer (XSS), but on the platform as well.