There seems to be no bounds to the hacking community at the moment as the bigger corps increase their defences against the increasing inventive hacktivists that are subliminally raiding your processors cycles. Zkey is the latest and here?s how you do it ...This page describes a security problem that Blue Adept discovered with the Zkey portal on August 14, 2000. Zkey provides free, SSL-protected file storage space (“z-drive”), collaboration utilities, contacts, calendaring, and web-based email. The security hole allows Zkey users to easily steal the usernames and passwords of other Zkey users. The demonstration exploit involves sending e-mail to another Zkey user which includes malicious javascript code embedded in the body of the message. When an unsuspecting Zkey user reads the email, the embedded javascript code can take complete control of the user-interface, compromising the username and password of the victim. As the demonstration exploit shows, the embedded code can force the Zkey user to re-login to the service due to an expired session, at which point the username and password are sent back to the malicious user. However, this demonstration is only one way to exploit the weakness in the Zkey portal; more subtle scripting attack could share out a user’s z-drive filesystem as soon as the email message is viewed.Once a malicious user knows the username/password of the victim’s Zkey account, she can assume full control of the account, including the ability to: - download files from the victim’s z-drive.

- delete/replace files from the z-drive.

- access/alter the victim’s contact information.

- access/alter the victim’s calendar/scheduling information.

- change the victim’s username/password, locking them from their accounts.

- access any shared z-drives from secondary accounts.

- read/delete the victim’s Zkey-email or send Zkey-email in the victim’s name.

- access email from any secondary email accounts configured for mail checking. This is part of the full breakdown found at: www.because-we-can.comWe in no way encourage this sort of activity and only cover it in the Feed to help raise awareness of possible security faults with these operators.