[22647] in bugtraq
Re: Hushmail.com accounts vulnerable to script attack.
daemon@ATHENA.MIT.EDU (Friday Germany)
Fri Sep 14 10:23:50 2001
Message-ID: <20010914050814.36793.qmail@web20808.mail.yahoo.com>
Date: Thu, 13 Sep 2001 22:08:14 -0700 (PDT)
From: Friday Germany <fridaygermany@yahoo.com>
To: bugtraq@securityfocus.com
In-Reply-To: <20010913155715.5850.qmail@securityfocus.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
TOPIC: Hushmail.com accounts vulnerable to script
attack.
ADVISORY NR: 200102
DATE: 12-09-01
VULNERABILITY FOUND AND WRITTEN BY: 1; (One Semicolon)
CONTACT INFORMATION:
http://onesemicolon.cjb.net
me@onesemicolon.cjb.net
*SNIP*
I can confirm this attack, but I also have to report a
far more serious vulnerability in Hushmail (which was
probably executed using the described attack). An
email was sent using my hushmail account, _including_
a previous message to the previous recipient of an
email message. Upon inquiry Hushmail confirmed that
they had a problem with user authentification but they
state that no encrypted email was exposed. I also have
to add that the PGP signature on the email sent
through my account did not verify. Nevertheless, the
email originated from Hushmails mailserver and reached
a recipient _containing_ a previous email. This can do
some serious damage to people handling confidential
matters through Hushmail. Hushmail states that the
problem has been fixed.
__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/
