All the latest UK technology news, reviews and analysis
|
|
|
21 Mar 2002
Security watchers have identified a vulnerability in the web mail service of internet portal Excite that allows for the hijacking of a user's account.
According to the experts, when a user logs in to their account through Excite's web interface, the session is authenticated by a unique URL.
By sending an HTML email which includes an image based on another server to the victim, an attacker can easily get the unique URL from the referrer field in the HTTP header.
Simply pasting this into a web browser would drop the attacker straight into the victim's mailbox with complete control of the account.
The exploit has been discussed to some degree on security mailing list Bugtraq, and Eyeonsecurity.net has even published a demonstration of the attack. Excite has been notified but has not yet responded.
By way of combating the threat, Eyeonsecurity recommends using secure mode in the browser (HTTPS) to access Excite web mail. This prevents the referrer URL from being sent out.
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Principal Development Engineer Lead- London - Smart TV...
Development Engineer - London - Smart TV, Gaming, Tablets...
Principal Development Engineer - London - Smart TV, Gaming...
Test Engineer -London - Smart TV, Gaming, Tablets, PC...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?