Researchers crack CEO's e-mail account, want $10,000 prize

Computerworld - Three security researchers today claimed that they had hacked into the e-mail account of the CEO of StrongWebmail, the company that said two weeks ago it would pay $10,000 to the first person who broke into the account.

Working as a team, Aviv Raff, Lance James, and Mike Bailey took up the challenge and have accessed the CEO's account, Raff said in an instant message today.

Raff, an Israeli researcher, frequently uncovers vulnerabilities in browsers, and may be best known for digging up an Internet Explorer connection to the so-called "carpet bomb" attacks first pegged to a bug in Apple's Safari.

StrongWebmail, however, was not ready to concede. "We've gotten a few entries, and we're reviewing them to see that they complied with the rules," said Darren Berkovitz, the company's chief operating officer, in an interview Thursday. "It will take a little bit of time to confirm, maybe later today or tomorrow, but we'll pay the prize if someone did hack into the account."

The StrongWebmail service adds another authentication layer to logging into an online e-mail account: phone verification. Users register one or more phone numbers with the service, choose one of those numbers when logging on, then use the three-digit security code provided by the phone call or text message to complete the log-in process.

For the contest, StrongWebmail gave the CEO's e-mail address, his username and his password. But without his cell phone and its number, StrongWebmail believed the system was foolproof.

According to a long thread on the Twitter micro-blogging service, the three hacked the account via one or more cross-site scripting vulnerabilities in the StrongWebmail service and site. Raff, however, declined to comment on whether that was the avenue he, James and Bailey used.

"We knew it wasn't 100% bulletproof," admitted Berkovitz. "We're looking now at whether there was a bug in the mail software, which we licensed from someone else."

The $10,000 prize, Berkovitz continued, was as much a promotional ploy as a hacker challenge. "The contest was meant to bring attention to the state of Web mail security," he said, citing last year's hack of then-vice presidential candidate Gov. Sarah Palin's Yahoo Mail account as an example. "On Hotmail, one of the security questions is 'What is your pet's name?' I can go to your Facebook page and get that," noted Berkovitz.

StrongWebmail hopes that the contest, even if a failure, will prod online e-mail providers like Google, Microsoft and Yahoo to add similar authentication to their services.