TOPIC: Hushmail.com accounts vulnerable to script attack. ADVISORY NR: 200102 DATE: 12-09-01 VULNERABILITY FOUND AND WRITTEN BY: 1; (One Semicolon) CONTACT INFORMATION: http://onesemicolon.cjb.net me@onesemicolon.cjb.net *SNIP* I can confirm this attack, but I also have to report a far more serious vulnerability in Hushmail (which was probably executed using the described attack). An email was sent using my hushmail account, _including_ a previous message to the previous recipient of an email message. Upon inquiry Hushmail confirmed that they had a problem with user authentification but they state that no encrypted email was exposed. I also have to add that the PGP signature on the email sent through my account did not verify. Nevertheless, the email originated from Hushmails mailserver and reached a recipient _containing_ a previous email. This can do some serious damage to people handling confidential matters through Hushmail. Hushmail states that the problem has been fixed. __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/
