Loophole Detected in Critical Path Web Mail

Web-based e-mail services from Critical Path Inc. were, until Thursday night, vulnerable to malicious hackers who could gain access to accounts, where they could read, write and delete messages as long as the user was logged on.

Mike Serbinis, chief security officer at Critical Path, said that the security loophole was closed for all customers Thursday night and that his company had received no complaints from customers. The company provides messaging services for corporations and service providers such as Internet service providers, telcos and portals.

"The first time we received details of a loophole was Tuesday morning. We had a fix in Q&A by the end of the day," he said. "The loophole is closed up."

The vulnerability was reported Monday when a former Critical Path employee posted an advisory on the Bugtraq list at the SecurityFocus.com site.

"A simple flaw in the Web mail service offered by Critical Path (www.cp.net) allows an attacker to gain full access of any Web mail account. The attack falls under the umbrella of cross-site scripting," wrote Jeffrey Baker.

"We basically put into the product a smarter session cookie," Serbinis said of his solution. "The cookie basically is a constantly changing cookie. That improves security dramatically."

By its own accounting, Critical Path has more than 100 million end users, through partnerships with ETrade Group Inc., CompuServe Corp., Network Solutions Inc., US West Inc., Sprint, France Telecom SA, British Telecommunications PLC and ICQ.

"Nobody's going to stop using Critical Path because of this," said security analyst Ira Winkler, president of the Internet Security Advisors Group in Severna Park, Md.

"I don't see it as putting the customers at dire risk immediately, but obviously they have to fix the problem right away," Winkler said.

"Any vulnerability that relinquished private information by an individual is serious," said Ron Delpiere-Smith, technical services manager at Deloitte & Touche LLP, from his Chicago office.

He does, however, agree with Winkler that this incident is not likely to jeopardize customers. "[In] my opinion alone, that is an adequate response time," Delpiere-Smith said.

Baker said the hole affects most users. ETrade users aren't vulnerable, he said, because their session hashes are stored in the URL, not in cookies.

Hashing is a process for encrypting passwords, messages and other data.

Baker was a programmer at Critical Path until Jan. 12, 1999, he wrote in his advisory. He also wrote that he didn't work on the Web mail products and didn't know of the hole until after he left the company.

He said he discovered the flaw at the O'Reilly Open Source Convention on July 17. He discussed the problem with about 100 other programmers and then notified Critical Path on July 21, offering his services to solve the problem.

By Aug. 21, he said, he had heard no reply, and the problem wasn't fixed, so he decided to go public with the information.

Winkler, however, was critical of Baker's attempt to make money out of the flaw. "If he wasn't a beta tester, don't beta-test and then ask for money," Winkler said, "If you're going to give out the information then give it out.

... It just seems scummy to me."

The attack would work by sending an e-mail with an embedded HTML link. That link, anchored with seemingly innocuous JavaScript code, sends the cookie information back to the attacker.

"The attack works by tricking a legitimate Web mail user into clicking on a link while logged into the Web mail system. The link exploits a programming error in the Web mail system to send the user's username and session cookie to another site. The username and session cookie can then be used to gain full control over the user's account," Baker wrote in his post.

Once an attacker has access to an account, he or she can read, write and delete e-mail messages forever, even if the password is changed, Baker wrote.

Join the newsletter!

Error: Please check your email address.

More about British TelecommunicationsCompuserveCritical PathDeloitte & ToucheETRADE AustraliaFrance TelecomICQInternet Security Advisors GroupReillySecurityFocusSprintTuesday Morning

Show Comments