StrongWebmail CEO's e-Mail Account Hacked via XSS
Ryan Naraine writes on the ZDNet "Zero Day" Blog:
A Webmail service that touts itself as hack-proof and offered $10,000 to anyone who could break into the CEO’s e-mail has lost the challenge.
A trio of hackers successfully compromised the e-mail using persistent cross-site scripting (XSS) vulnerability and are now claiming the bounty.
The hacking team of Aviv Raff, Lance James and Mike Bailey set up the attack by sending an e-mail to the company’s CEO Darren Berkovitz. When he opened the e-mail, the team exploited an XSS flaw to take control of the account.