Tuesday, September 09, 2008

Java, E-mail, Webmail and Vulnurabilities

I can feel a slight twinge of sympathy for Newegg, they seem like a nice company and I've used them for purchases in the past. However, I think they're in for a bashing on the internets as this morning they sent out an e-mail flyer with a Java script that opened a dialog box requiring a non-existent user name and password. You could not cancel out of the box, rendering your entire e-mail acount useless. Compounding the problem is that using webmail via a browser caused the same actions. Since the webmail pages are Java based, disabling Java in the browser denies access to your acount!

I fixed the problem with some skullduggery which eventually required me to completely delete my e-mail acount from Mail, I am currently re-downloading 21,000 e-mail messages which is not what I wanted to do on a busy work morning.

Newegg may have done us all a favor though in showing that e-mail readers and webmail systems that do not allow the suspension of Java are incredibly vulnarable to this sort of flawed code. In this case the problem was merely incompetence, what if the intent had been malicious?

No comments: