This is a nice story about computer security, and something to think about for all sysadmins. It's not enough to build robust barriers at the entrance, if something relatively simple can transform a legitimate user into a channel to the outside world. Read about Defence in depth or security in depth.
From /. : Hackers Claim $10K Prize For StrongWebmail Breakin
They never logged into the account themselves.
It's an XSS exploit: StrongWebmail expended all their resources attempting to prevent people obtaining credentials and logging in. However, send an email with an appropriate piece of script to the target user, or provide a link targetting one of the iframes on the site, and all you have to do is sit back and wait for that to get loaded in the browser.
The person doing the exploit never has to log in, all they need is to get some script on the page and wait for the target user to use their account as normal, which triggers the exploit right inside the browser. That's why noscript blocked the attempt on IDG - it wasn't the hackers running Firefox+noscript, it was the journalist asking them to replicate the attack.
No secretaries, janitors or midnight exchanges of cash-filled envelopes required - they spent so much time decorating the front door that they forgot to check inside the constant stream of animal-shaped wooden statues
delivered to the service entrance.
Anonymous Coward on 06/06/09 14:17