On Thu, 10 May 2012, Ralf Hildebrandt wrote: > * Jozsef Kadlecsik <kad...@blackhole.kfki.hu>: > > > I dunno. We had the newest squirrelmail (1.4.22) and still two times user > > sessions were hijacked and used for spamming. The users could not recall > > what they exactly did, unfortunately. > > Only thing one can do against this is two-factor auth (assuming nobody > can circumvent the authorization)
The passwords were not stolen but the authenticated https sessions of the users. Best regards, Jozsef - E-mail : kad...@blackhole.kfki.hu, kadlecsik.joz...@wigner.mta.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary
