A service proclaiming to be the most secure in the world is anything but that, a researcher says, after discovering plenty of critical vulnerabilities.
Nomx, a startup that’s trying to change the way we do email by setting up our own private servers, touts that its product “ensures absolute security and privacy.” The reality is that we should all probably run screaming when we see such words in a product’s description because it’s been proven time and time again that the truth is a lot different.
Security researcher Scott Helme says the $199 device Nomx is selling is far from what it says it is. In fact, as Helme discovered, the box holds a Raspberry Pi wth outdated software and plenty of bugs. He adds that the code is riddled with “bad examples of how to do things.” Ouch!
The researcher found plenty of issues with the Nomx product as a whole, but perhaps the most dangerous one was the fact that its web application came packed with a vulnerability that allowed just about anyone to take full control of the device remotely via a simple visit to a malicious website. The result was that he could read, send and delete emails, or even create a new email address.
More specifically, the Nomx web app is vulnerable to a cross-site request forgery vulnerability which is quite a common attack method. If you visit the malicious website, you’ll give hackers access to your email account running on Nomx.
As Motherboard points out, the Nomx CEO was quick to slam the report, saying that newer Nomx devices don’t run on Raspberry Pi and that the device Helme was given for testing purposes was rooted and old. Furthermore, in order for such an attack to work, users would have to have the email account page open.