Security Flaw Discovered in Webmail System | Internet News
IT Management
SHARE
Facebook X Pinterest WhatsApp

Security Flaw Discovered in Webmail System

Written By
Brian McWilliams
Brian McWilliams
Aug 23, 2000
2 minute read

A serious security flaw has been found in the Web-based email service from Critical Path Inc.

The vulnerability potentially affects more than 22 million people, including users of webmail offerings from CompuServe, ICQ, AltaVista, Network Solutions, US West, and other customers of Critical Path’s
outsourced webmail service.

The security bug enables a malicious user to take over a victim’s email account, reading and deleting his or her mail, and sending mail as the victim.

Details of the security hole were published on the Bugtraq security mailing list Monday by Jeffrey W. Baker, a programmer and former employee of Critical Path.

Baker told InternetNews Wednesday that the hole is especially troubling because users can’t defend against it by simply changing their password. “Once you are successfully attacked, you can never regain control of your email account. You would simply have to abandon it and start up a new one,” said Baker.

The attack draws upon a well-known browser
vulnerability and involves stealing a “session cookie” from the webmail user. According to Baker, the cookie theft itself is quite simple and can be accomplished by sending the victim an HTML email message with an embedded image file anchored by a few lines of innocent looking JavaScript code.

“The user would only have to open the email in the webmail interface, and they wouldn’t have much choice but to fall into your trap,” said Baker.

Critical Path Wednesday confirmed the security bug report and said a fix is on the way. According to Mike Serbinis, chief security officer, the patch will create a “smarter” session cookie with a constantly changing hash value. When available, as early as the end of Wednesday, the fix will immediately roll out to all of the company’s outsourced email customers.

“As soon as we were warned of the loophole, we investigated it. One of the benefits of outsourcing is that there’s no redeployment of software required by customers or end users,” said Serbinis.

Until the fix is in place, concerned users can avoid the security hole, according to Baker, by disabling JavaScript in their browsers.

Baker said he decided to publish his discovery after Critical Path failed to respond to his offer over a month ago to provide his security consulting services to fix the bug.
Brian McWilliams
Internet News Logo

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

facebook
x

Company

Contact us Advertise with us

Categories

News Enterprise Small Business Reviews Podcasts Blog Research

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information