[ISN] VeriSign refutes security vulnerability claim

[InfoSec News <alerts@infosecnews.org>]

http://www.tgdaily.com/security-features/50315-verisign-refutes-security-vulnerability-claim

By Aharon Etengoff 
TG Daily
22nd Jun 2010

VeriSign has denied claims of an alleged security vulnerability recently 
identified by Comodo.

According to Comodo CEO Melih Abdulhayoglu, the vulnerability could 
theoretically allow hackers to access VeriSign customer accounts - 
including a major financial institution - without proper authentication.

"The vulnerability involves a simple search for a specific keyword, 
which then leads to a VeriSign account public access page. So, access to 
these accounts are only a pass phrase away. Think about it: malicious 
hackers from Russia or China can simply brute force their way past the 
password. Remember, security is only as good as its weakest link," 
Abdulhayoglu told TG Daily.

"Unfortunately, VeriSign has not accepted our analysis of the 
vulnerability. They are not seeing the problem and have told us that 
(second tier) challenge phrases are surrounded by stringent security and 
are monitored. But this is certainly not an acceptable policy and that 
is is the crux of the problem."

[...]