[22678] in bugtraq
Re: Hushmail.com accounts vulnerable to script attack.
daemon@ATHENA.MIT.EDU (Brian Smith)
Tue Sep 18 23:34:32 2001
Date: 19 Sep 2001 01:04:11 -0000
Message-ID: <20010919010411.17213.qmail@securityfocus.com>
From: Brian Smith <sundaydriver@hushmail.com>
To: bugtraq@securityfocus.com
There was a sporadic problem with our IMAP/PHP
session management that occured around the 6th
and 7th of this month. It was caused by a race
condition that occasionally resulted in non-unique
session IDs, in which case the second party to
receive the duplicate ID would have limited access to
the first party's IMAP account.
I stress that this did not compromise private keys,
passphrases, or encrypted mail at any point, as all
encryption operations are handled in the client Java
applet. There was no opening for a targeted attack -
what exposure resulted was random.
Sorry if this is a repeat post.
Brian Smith, Hush Communications
brian.smith@hush.com
>Upon inquiry Hushmail confirmed that
> they had a problem with user authentification but
they
> state that no encrypted email was exposed. I also
have
> to add that the PGP signature on the email sent
> through my account did not verify. Nevertheless, the
> email originated from Hushmails mailserver and
reached
> a recipient _containing_ a previous email. This can
do
> some serious damage to people handling
confidential
> matters through Hushmail. Hushmail states that the
> problem has been fixed.
