Bugtraq mailing list archives
Re: Hushmail.com accounts vulnerable to script attack.
From: Friday Germany <fridaygermany () yahoo com>
Date: Thu, 13 Sep 2001 22:08:14 -0700 (PDT)
TOPIC: Hushmail.com accounts vulnerable to script attack. ADVISORY NR: 200102 DATE: 12-09-01 VULNERABILITY FOUND AND WRITTEN BY: 1; (One Semicolon) CONTACT INFORMATION: http://onesemicolon.cjb.net me () onesemicolon cjb net *SNIP* I can confirm this attack, but I also have to report a far more serious vulnerability in Hushmail (which was probably executed using the described attack). An email was sent using my hushmail account, _including_ a previous message to the previous recipient of an email message. Upon inquiry Hushmail confirmed that they had a problem with user authentification but they state that no encrypted email was exposed. I also have to add that the PGP signature on the email sent through my account did not verify. Nevertheless, the email originated from Hushmails mailserver and reached a recipient _containing_ a previous email. This can do some serious damage to people handling confidential matters through Hushmail. Hushmail states that the problem has been fixed. __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/
Current thread:
- Hushmail.com accounts vulnerable to script attack. onesemicolon (Sep 12)
- <Possible follow-ups>
- Re: Hushmail.com accounts vulnerable to script attack. Brian Smith (Sep 13)
- Re: Hushmail.com accounts vulnerable to script attack. Friday Germany (Sep 14)
- Re: Hushmail.com accounts vulnerable to script attack. Brian Smith (Sep 18)