On 11 August 2016, the three email providers 1&1, GMX and Web.de announced a major security vulnerability.
Unauthorised users could have used other people’s mailboxes and thus stolen very personal information/data. The recipients would only have had to click on an HTTPS link in an email and would have revealed a lot of information that could be used by the attackers.
The recipients would have only had to click on an HTTPS link in an email and would have given away a lot of information, which would have provided the attackers with passwords, credit card numbers and log-in information.
The magazine Wired speaks of about 1.7 threatened accounts out of a total of 34 million active users.
On 14 August 2016, it was confirmed that the security hole had been closed and that there were no incidents.
The problem was that the session ID was forwarded to the server. A quote from Wired describes the problem: “The affected portals used a 302 redirect, which transmits the referrer URL including the session ID in the case of a link between two HTTPS servers.” This would have allowed anyone to impersonate the account owner.
The providers have now used dereferrers, which take care of the redirection via intermediary HTML pages. The session ID is removed from the referrer, which means that no stranger can get into the mailbox.
Read more about the security gap in email accounts here.
