Re: Accounts easily compromised on Critical Path web mail service, CP does not respond after 30 days.

[Michael Serbinis <ms () CP NET>]

It was recently reported on Bugtraq that a loophole was 
found in Critical Path’s Webmail product.  Upon identifying 
this bug, Critical Path’s team quickly developed and 
implemented a bug fix.  Action was
taken immediately and the patch was rolled into production 
after the proper quality assurance reviews were conducted. 

Critical Path has now modified the way cookies are used in 
its Webmail product, improving security for all its 
customers.  Cookies will change every time a user logs in, 
being session specific.  All sessions initiated with out-of-
date or invalid cookies will be ignored.  In addition, the 
web mail software escapes html/script entities to prevent 
malicious code from affecting user security.

None of Critical Path’s customers experienced any impact 
from this bug.  The fact remains that security will 
continue to be an ongoing challenge for any company on or 
associated with the Internet.  Critical Path will continue 
to maintain the high security standards that its customers 
expect.