Security Flaw Persists in Some Non-UO Webmail Systems

Joyce Winslow
jwins@oregon.uoregon.edu

If you use a commercial webmail product, be aware that a serious security flaw has been discovered in a popular web-based email service offered by some commercial providers. While the flaw was first reported last summer and the vendor has issued assurances that it is working on a fix, the problem remains as we go to press.

The bug makes users vulnerable to having their email accounts hijacked by a malicious user, who then can read or delete the victim's mail, or send mail undetected from the victim's account. The problem potentially affects over 22 million people, including those who use webmail products from some of the leading service providers.

The bug takes advantage of a well-known browser vulnerability to steal a "session cookie" from a webmail user (for more information on cookies, see "How to Avoid Being Profiled by Online Advertisers" in this issue). Once in possession of the cookie, a perpetrator can easily take over the user's email account.

Unfortunately, users cannot defend themselves against attack by simply changing their passwords. Once an email account has been usurped, it cannot be reclaimed.

To read Brian McWilliams's original article on this problem, go to http://www.internetnews.com/wd-news/article/0,,10_444201,00.html