A hacker has managed to send emails from the FBI’s systems. This was possible due to a fairly banal security flaw that made editing an automated email.

 

Nearly 100,000 people received a cyberattack warning from the FBI over the weekend. That mail also effectively came from the systems of the American authorities but was sent by a hacker under the name Pompompurin.

The FBI confirms the incident and says the affected hardware was taken offline soon afterwards and did not provide further details at first.

The hacker who claims to be behind the spam wave does. The perpetrator tells security specialist Brian Krebs that he could have done much worse things, but he also tells how he could exploit a security hole on an FBI portal. The FBI subsequently supplemented its statement by stating that the affected platform is not part of the service’s email systems. The perpetrator could therefore e-mail on behalf of the FBI but had no access to e-mails or accounts of the FBI.

In concrete terms, this concerns the Law Enforcement Enterprise (LEEP) portal, a platform for law enforcement agencies. You can request an account and receive a temporary password by e-mail to check whether the e-mail address concerned actually belongs to the applicant.

In practice, however, it turned out that the temporary password could already be viewed via the HTML code of the web page, and it was possible to edit the content of that automated e-mail with some manipulation. In other words, the system sends you a verification email from an FBI address. Still, Pompompurin was able to edit that email, allowing him to send a custom message to anyone from an @ic.fbi.gov address.