Last week I mentioned StrongWebMail - a company that claimed they offer the strongest Web mail on the planet. That claim was proven false when a team of researchers bypassed security using an obvious inroad.
You might recall that StrongWebMail uses a callback technique during the login process. Basically you get a phone call when you try to login. You have to enter the PIN number given to you during the call in order to complete the logon process. Sounds pretty good, right? But what about after you login?
While the developers at StrongWebMail were busy protecting the gates to the kingdom they apparently overlooked the need to both lock the doors inside to prevent people from roaming around and forgot to guard the users themselves in case they decided to roam around.
According to IDG, the researchers created an email account of their own and once logged in they found ample room for manipulation - to the point of being able to gain access to StrongWebMail CEO's calendar. Internal security was very lax. Game over.