Hackers 1, Marketing 0

Date June 4, 2009

I’m really sorry – I stole the title to this post from Rich at Securosis.  It was just so perfect I couldn’t resist.  On a side note before I say my piece, will you guys (Secrosis) calm it down for a bit?  I can only read so many good posts a day (I have to share my time with other feeds don’t you know), but most certainly stop mentioning stuff that I want to write about myself as that just takes even more time.  Cut it out damn it – don’t you have some sort of company to run ;)

Anyway, normal service resuming.

When I saw the challenge – break into some companies web-based email system – I pretty much knew it would all end in tears.  The idea behind this company and their “security” (the challenge was to break into the CEO’s email account, and they provided the username and password “to make things easier”) is that it uses “two-factor” authentication by calling your registered phone number(s) after you authenticate to confirm a code that was sent to you.  It’s closer to side-channel authentication than two-factor, but I’m really splitting hairs here.

Anyway, the thing that we’ve known for a long time is that even with two-factor authentication, there’s still some really effective attacks, one of which looking at an article reporting the end of the contest and some of the hack technique was clearly used – the good old Trojan attack (via XSS it seems – I would class XSS as a Trojan rather than MITM, but that’s me).

When two-factor authentication is in use, why bother trying to break/crack/defeat the authentication – it’s much easier to wait for the user to authenticate (do all the hard work) and then take over from there.  And that’s probably the attack pattern used (and what I would try myself).  If, as the article suggests, StrongWebmail was susceptible to XSS, then all you have to do is get some javascript (or other script/applet/etc) up onto their server, entice the user to that page (or email message), and let the script pull cookies/authentication tokens.  Once you have them, replay them to the app (substituting them for your original ones), and you’re in and able to masquerade as the target user.

There’s a few things that are a little concerning here though. 

First, that a “secure” webmail provider is susceptible to XSS is unforgivable – it’s just such an obvious attack mechanism and should be easily mitigated (well, not easily – there’s lots of places to “hide” script in HTML, but there’s certainly ways to protect against it).  Not everyone has NoScript (although they should), but even if they did I very much doubt it would have helped.  See, if the user had NoScript, they would have likely had the site trusted (they would have been there before, and as it’s not an “unknown” so would have allowed scripts to run as to probably make the site function correctly).  When the XSS code tries to grab the session cookie, NoScript could have got in the way and stopped it from being POST’ed off site, but it could quite as easily been a GET or even better just CSRF’ed an email back to yourself and voila! no “cross-site” and practically all detection techniques would have missed this. 

Secondly, if this was the case (and I’m by no means sure about this, but looking at the site in Paros it seems to correct), having session cookies set to HTTPOnly may not have been a complete mitigation, but may have saved them.

In conclusion, what was clearly a marketing stunt backfired badly.  They deserve to get their ass handed to them because a) having the community do your pentest work for you is kinda shady, especially for marketing purposes and b) this is such and obvious attack it should have come up in a threat model and have been very strongly validated that it had been mitigated against. 

From the CEO of StrongWebMail:

I think if anything this contest will bring attention [that] the major mail providers … really need to take additional steps to secure their email." We all have sensitive info in our inboxes– how secure are you?

Answer: Not very.

EDIT: In the comments of the PCWorld article, it looks like someone else was onto a different strategy by discovering the “two-factor” phone number (via brute force) and spoofing it – a technique that was also likely to work.

Category Posted in Uncategorized

One Response to “Hackers 1, Marketing 0”

  1. June 4th, 2009 at 11:00 pm

    Mike said:

    Ok, bad form to reply immeaditlyto your own post, but XSS confirmed.

    http://twitpic.com/6ma8u
    http://twitpic.com/6ji72

    Thanks Ryan


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>