Bugtraq mailing list archives
Re: Hushmail.com accounts vulnerable to script attack.
From: Brian Smith <sundaydriver () hushmail com>
Date: 19 Sep 2001 01:04:11 -0000
There was a sporadic problem with our IMAP/PHP session management that occured around the 6th and 7th of this month. It was caused by a race condition that occasionally resulted in non-unique session IDs, in which case the second party to receive the duplicate ID would have limited access to the first party's IMAP account. I stress that this did not compromise private keys, passphrases, or encrypted mail at any point, as all encryption operations are handled in the client Java applet. There was no opening for a targeted attack - what exposure resulted was random. Sorry if this is a repeat post. Brian Smith, Hush Communications brian.smith () hush com
Upon inquiry Hushmail confirmed that they had a problem with user authentification but
they
state that no encrypted email was exposed. I also
have
to add that the PGP signature on the email sent through my account did not verify. Nevertheless, the email originated from Hushmails mailserver and
reached
a recipient _containing_ a previous email. This can
do
some serious damage to people handling
confidential
matters through Hushmail. Hushmail states that the problem has been fixed.
Current thread:
- Hushmail.com accounts vulnerable to script attack. onesemicolon (Sep 12)
- <Possible follow-ups>
- Re: Hushmail.com accounts vulnerable to script attack. Brian Smith (Sep 13)
- Re: Hushmail.com accounts vulnerable to script attack. Friday Germany (Sep 14)
- Re: Hushmail.com accounts vulnerable to script attack. Brian Smith (Sep 18)