A serious security flaw has been found in the Web-based email service from Critical Path Inc.
The vulnerability potentially affects more than 22 million people, including users of webmail offerings from CompuServe, ICQ, AltaVista, Network Solutions, US West, and other customers of Critical Path’s
outsourced webmail service.
The security bug enables a malicious user to take over a victim’s email account, reading and deleting his or her mail, and sending mail as the victim.
Details of the security hole were published on the Bugtraq security mailing list Monday by Jeffrey W. Baker, a programmer and former employee of Critical Path.
Baker told InternetNews Wednesday that the hole is especially troubling because users can’t defend against it by simply changing their password. “Once you are successfully attacked, you can never regain control of your email account. You would simply have to abandon it and start up a new one,” said Baker.
The attack draws upon a well-known browser
vulnerability and involves stealing a “session cookie” from the webmail user. According to Baker, the cookie theft itself is quite simple and can be accomplished by sending the victim an HTML email message with an embedded image file anchored by a few lines of innocent looking JavaScript code.
“The user would only have to open the email in the webmail interface, and they wouldn’t have much choice but to fall into your trap,” said Baker.
Critical Path “As soon as we were warned of the loophole, we investigated it. One of the benefits of outsourcing is that there’s no redeployment of software required by customers or end users,” said Serbinis. Until the fix is in place, concerned users can avoid the security hole, according to Baker, by disabling JavaScript in their browsers. Baker said he decided to publish his discovery after Critical Path failed to respond to his offer over a month ago to provide his security consulting services to fix the bug. Wednesday confirmed the security bug report and said a fix is on the way. According to Mike Serbinis, chief security officer, the patch will create a “smarter” session cookie with a constantly changing hash value. When available, as early as the end of Wednesday, the fix will immediately roll out to all of the company’s outsourced email customers.
