IIRC the telephone authentication is not used if the machine has already been used to log into the account. Since the company gave away the username and password, all that would remain is to steal the cookie used to identify a machine that has already logged in.
That could be done with an XSS attack using JavaScript to access the cookie and divert it.
I considered doing this but would have needed to sign up for an account and that required giving a credit card which I didn't want to do. Well done to the people who made it work.
The IDG attack did not work initially, but succeeded when security software called NoScript was disabled on the Firefox browser, running on a Windows XP machine.
I'm guessing they used XSS to perform the man-in-the-middle attack and snatch the username+password+security code, but initially it didn't work on the journalist's computer because he had NoScript installed.
From what little I could glean, it sounded like the attackers used some kind of CSRF attack that required the target account to log in.
IDG probably logged in with NoScript enabled, preventing the attacker's script from being run by IDG's browser. Disabling NoScript allowed the CSRF attack to work properly. The website was merely an unwitting pawn.
They used XSS (cross site scripting) to send a mail to the target. When the email is viewed a CSRF (cross site request forgery) is executed to add a new device (phone) to the authenticated devices list. Next they log in, receive the SMS on their phone that is now in the list...bam!
[Edit: I didn't mean XSS to send the email, I meant inject an XSS attack into the email and send it. I'm thinking something like psuedo: location.replace(/link/to/add/device/?phone=555-1212 ]
Can you explain what the CSRF attack you're thinking of is? Maybe I'm not reading you carefully enough (long day), but that doesn't sound like a CSRF to me.
Victim logs in using two-factor auth, gets a cookie which lets them back in without phone in future.
Attacker sends email to victim with some kind of script embedded.
Victim views email, javascript runs and sends cookie info to attacker.
Attacker uses cookie to impersonate victim.
Of course, it's been a long day here too, and I'm so far from an expert on this stuff it's entirely probable that what I just described doesn't make sense/isn't possible.
Edit: Yeah, guess what I described is more XSS than CSRF
I suspect your on the right lines: but from the XSSExploits tweets I imagine that what they might well have done is ecxecute some JS to add a new authorised phone number to the list (i.e. by just posting the new details).
That said they say they also needed a strongwebmail account for it to work so I could be wrong - perhaps they just hijacked their authed session ID into the ceo's (possibly??)
They had no viable business plan to begin with. Google and Yahoo mail are among the top 10 trophy targets on the Internet. I have no idea how you'd convince me some startup had put more resources into securing mail than Google did.
I've dealt with several companies, mostly banks, that use web based "secure e-mail" systems (mostly they're just file storage systems). They won't e-mail important documents to you since most people's e-mail clients use plain text and/or people use weak passwords, etc...
In fact I recently received a four inch thick stack of documentation, APIs, etc... via FedEx from a bank because they didn't trust my e-mail and I wasn't on "the list" for their "secure e-mail" site (pay per account thing).
So yes, reasonable or not, secure or not, there is a business supplying "secure" communications for businesses.
I believe they probably found a way to inject some data that wasn't properly escaped.
When the CEO (or anyone else) would receive the alerts that someone was trying to break into their accounts, the XSS or javascript (or whatever) would be included in the alert and executed ... That's probably how they broke into it and why it didn't work with noscript enabled.
Advertising that their application is incredibly insecure?
Even if they fix this, I wouldn't trust a company that claims their product is very secure, offers a $10k reward for hacking it, then gets exploited in less than a day by (most likely) the simple XSS vulnerability mentioned in another comment.
http://www2.telesign.com/login.php?loginerror=yes&user=\...
Pathetic. (Telesign is behind StrongWebmail)