Bugtraq mailing list archives

Re: Hushmail.com accounts vulnerable to script attack.

From: Friday Germany <fridaygermany () yahoo com>
Date: Thu, 13 Sep 2001 22:08:14 -0700 (PDT)

TOPIC: Hushmail.com accounts vulnerable to script
attack.
ADVISORY NR: 200102
DATE: 12-09-01
VULNERABILITY FOUND AND WRITTEN BY: 1; (One Semicolon)

CONTACT INFORMATION:
http://onesemicolon.cjb.net
me () onesemicolon cjb net
*SNIP*

I can confirm this attack, but I also have to report a
far more serious vulnerability in Hushmail (which was
probably executed using the described attack). An
email was sent using my hushmail account, _including_
a previous message to the previous recipient of an
email message. Upon inquiry Hushmail confirmed that
they had a problem with user authentification but they
state that no encrypted email was exposed. I also have
to add that the PGP signature on the email sent
through my account did not verify. Nevertheless, the
email originated from Hushmails mailserver and reached
a recipient _containing_ a previous email. This can do
some serious damage to people handling confidential
matters through Hushmail. Hushmail states that the
problem has been fixed. 

__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/

Current thread:

Hushmail.com accounts vulnerable to script attack. onesemicolon (Sep 12)
- <Possible follow-ups>
- Re: Hushmail.com accounts vulnerable to script attack. Brian Smith (Sep 13)
  - Re: Hushmail.com accounts vulnerable to script attack. Friday Germany (Sep 14)
- Re: Hushmail.com accounts vulnerable to script attack. Brian Smith (Sep 18)