Re: Hushmail.com accounts vulnerable to script attack.

[Brian Smith <sundaydriver () hushmail com>]

There was a sporadic problem with our IMAP/PHP 
session management that occured around the 6th 
and 7th of this month.  It was caused by a race 
condition that occasionally resulted in non-unique 
session IDs, in which case the second party to 
receive the duplicate ID would have limited access to 
the first party's IMAP account.

I stress that this did not compromise private keys, 
passphrases, or encrypted mail at any point, as all 
encryption operations are handled in the client Java 
applet.  There was no opening for a targeted attack - 
what exposure resulted was random.

Sorry if this is a repeat post.

Brian Smith, Hush Communications
brian.smith () hush com


> Upon inquiry Hushmail confirmed that
> they had a problem with user authentification but 
they
> state that no encrypted email was exposed. I also 
have
> to add that the PGP signature on the email sent
> through my account did not verify. Nevertheless, the
> email originated from Hushmails mailserver and 
reached
> a recipient _containing_ a previous email. This can 
do
> some serious damage to people handling 
confidential
> matters through Hushmail. Hushmail states that the
> problem has been fixed.