The StrongWebMail Incident
In case you've been living under a rock, Lance James, Aviv Raff, and I took up StrongWebMail's challenge to break into their CEO's webmail and claim a $10,000 prize. The terms of the contest preclude us from disclosing the details of the exploit, and while they've partially patched the holes that caused it, I'm not sure we're ever going to be allowed to tell the whole story.
Rest assured, we will openly disclose as much as we can, as soon as we can. In fact, I already have a blog post written and ready to go live. It will be published early next week at the latest, so stay tuned.
The current status: StrongWebMail's CEO confirmed that we exploited the application. They still have not confirmed that we won the prize, and are checking to make sure we complied with the contest rules. I'm confident we did. They gave themselves 3 business days (from yesterday, when we submitted the golden ticket) to confirm the win.
A few news reports about the incident implied that we may not qualify because social engineering is off limits. I can't make comments regarding the extent to which we used social engineering, but the rules say nothing about it- only that "working with an employee of StrongWebmail.com or one of its affiliates or partners to complete the hack" is not allowed.
Rest assured, we will openly disclose as much as we can, as soon as we can. In fact, I already have a blog post written and ready to go live. It will be published early next week at the latest, so stay tuned.
The current status: StrongWebMail's CEO confirmed that we exploited the application. They still have not confirmed that we won the prize, and are checking to make sure we complied with the contest rules. I'm confident we did. They gave themselves 3 business days (from yesterday, when we submitted the golden ticket) to confirm the win.
A few news reports about the incident implied that we may not qualify because social engineering is off limits. I can't make comments regarding the extent to which we used social engineering, but the rules say nothing about it- only that "working with an employee of StrongWebmail.com or one of its affiliates or partners to complete the hack" is not allowed.
Labels: mcktwin, StrongWebMail
posted by mckt at
11:25 AM
4 Comments:
Nice job! I read about it but I didn't know you were amongst the team (but I'm not surprised at all). My guess is they'll triple check everything next time they try such a PR stunt.
By
Sébastien Duquette, At
June 5, 2009 11:54 AM
roflz gg uninstall StrongWebmail
By
Anonymous, At
June 5, 2009 12:32 PM
My guess is they'll not be trying such a PR stunt again.
You gotta wonder who thought it was a good idea in the first place.
By
UrbanSage, At
June 5, 2009 1:27 PM
In the "who thought it was a good idea" vein, probably the CEO and his marketing department, which two parties are commonly the farthest removed from the details of product reality. It's the marketing mentality that put the *strong* in StrongWebMail (and the *wired equivalent* in WEP) while not giving a fig about the details--and then it's the CEO who believes that press (or, to use another metaphor, who drinks what he's selling) and takes the show on the road and set up The Big Fall. In between and underneath are the devs, testers, and documenters--anyone actually in touch with product realities--shouting "No, no, no, no, NO!" only to be dismissed, as usual, as naysayer cranks.
Scott Adams of Dilbert would have conveyed the idea in just a six panels, and probably has. :-)
By
Anonymous, At
June 9, 2009 10:27 AM
Post a Comment
Subscribe to Post Comments [Atom]
<< Home