Advertisement
Australia markets closed
  • ALL ORDS

    8,153.70
    +80.10 (+0.99%)
     
  • ASX 200

    7,896.90
    +77.30 (+0.99%)
     
  • AUD/USD

    0.6520
    -0.0016 (-0.25%)
     
  • OIL

    82.52
    +1.17 (+1.44%)
     
  • GOLD

    2,233.70
    +21.00 (+0.95%)
     
  • Bitcoin AUD

    109,392.84
    +3,034.16 (+2.85%)
     
  • CMC Crypto 200

    885.54
    0.00 (0.00%)
     
  • AUD/EUR

    0.6036
    +0.0005 (+0.09%)
     
  • AUD/NZD

    1.0901
    +0.0021 (+0.19%)
     
  • NZX 50

    12,105.29
    +94.63 (+0.79%)
     
  • NASDAQ

    18,280.34
    -0.50 (-0.00%)
     
  • FTSE

    7,973.03
    +41.05 (+0.52%)
     
  • Dow Jones

    39,752.53
    -7.55 (-0.02%)
     
  • DAX

    18,508.22
    +31.13 (+0.17%)
     
  • Hang Seng

    16,541.42
    +148.58 (+0.91%)
     
  • NIKKEI 225

    40,168.07
    -594.66 (-1.46%)
     

Hackers can steal the contents of Horde webmail inboxes with one click

A security researcher has found several vulnerabilities in the popular open-source Horde web email software that allow hackers to near-invisibly steal the contents of a victim's inbox.

Horde is one of the most popular free and open-source web email systems available. It's built and maintained by a core team of developers, with contributions from the wider open-source community. It's used by universities, libraries and many web hosting providers as the default email client.

Numan Ozdemir disclosed his vulnerabilities to Horde in May. An attacker can scrape and download a victim's entire inbox by tricking them into clicking a malicious link in an email.

Once clicked, the inbox is downloaded to the attacker's server.

ADVERTISEMENT

But the researcher did not hear back from the Horde community. Security researchers typically give organizations three months to fix flaws before they are publicly disclosed.

NIST, the government department that maintains the national vulnerability database, said this week that the flaws pose a "high" security risk to users.

Ozdemir said some — though not all — of the vulnerabilities were recently fixed in the latest Horde webmail version. But the Horde community has not publicly acknowledged the vulnerability — or that users of earlier versions of the webmail are still vulnerable.

"It is really very easy to steal people's email," he told TechCrunch.

His bug report filed with Horde remains open at the time of writing. We emailed Horde several times, but did not hear back until after publication. Jan Schneider, a core developer on the project, said the vulnerabilities "have indeed been fixed, won't be fixed, or didn't even exist anymore at the time of the reporting."