Hackers can steal the contents of Horde webmail inboxes with one click
Zack Whittaker reports:
A security researcher has found several vulnerabilities in the popular open-source Horde web email software that allow hackers to near-invisibly steal the contents of a victim’s inbox.[…]
Numan Ozdemir disclosed his vulnerabilities to Horde in May. An attacker can scrape and download a victim’s entire inbox by tricking them into clicking a malicious link in an email.
Read more on TechCrunch. If I was a Horde user, I would not be happy about the response to notification of the vulnerability.
There’s no indication in Zack’s report whether any Horde user actually has had their inbox stolen this way, but it sounds like Horde developers do not seem to feel there is a serious risk. But it’s hard toh tell from their response to Zack why they disagree with the researcher. Jan Schneider responded to TechCrunch’s inquiry by saying that the vulnerabilities “have indeed been fixed, won’t be fixed, or didn’t even exist anymore at the time of the reporting.”