SAN FRANCISCO (08/24/2000) - E-mail hosting provider Critical Path Inc. (CPTH) is working on a patch for a security hole discovered last month that could be used by a malicious Web site to take over customer e-mail accounts, read and delete e-mail, and impersonate a computer user via his or her e-mail.
Jeffrey Baker, who discovered the flaw on July 17 while preparing for a presentation at the O'Reilly Open Source Convention, says the hole, essentially a flaw in the Web mail service offered by Critical Path to corporate customers, could allow an attacker to gain full access to any e-mail account, ultimately forcing the customer to get a new account. Baker reported the flaw to Critical Path on July 21.
The attacker could exploit the flaw and send an e-mail that contained an HTML link to a malicious Web site, which then could send the user's username and session cookie, a long numeric "key" used to access the account, to another Web site, according to Baker, who was a programmer at Critical Path until he left in January. He declined to name his new employer.
Better still, "Critical Path should take a more aggressive approach to plugging security holes," he says.
A Critical Path manager defended the company's efforts. "As soon as the details of the loophole were brought to light, we jumped all over it and have a fix under way," says Mike Serbinis, chief security officer at the San Francisco-based company. "We haven't received any reported incidents from any customers that use the Web mail product." Critical Path has about 30 million users at companies including AltaVista Co., US West and E-Trade. The service's security hole affects about 20 million users of its Web-based e-mail service, though users of its service based on the Internet Messaging Access Protocol or Point of Presence protocol are spared from the vulnerability posed by the hole.
Critical Path has had some setbacks of late. The company laid off about 125 of its 950 employees July 19, the same day it announced a second-quarter net loss of $20.2 million. Executives at the company say the layoffs merely eliminated redundant positions following Critical Path's acquisition of 10 companies in the past year.
In addition, the company suffered from a series of technical glitches last year. In September, Critical Path had to patch a security hole that allowed people to access user accounts without knowing passwords. Then, in May, service was disrupted for a full day. In November, there were slowdowns in the service, and customers were temporarily locked out of their accounts in December.