address@hidden: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vul

dotgnu-general

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

address@hidden: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vul

From:	Norbert Bollow
Subject:	address@hidden: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability (fwd)]
Date:	Thu, 8 May 2003 12:30:15 +0200 (CEST)

------- Start of forwarded message -------
Mailing-List: contact address@hidden; run by ezmlm
Date: Wed, 7 May 2003 22:40:57 -0600 (MDT)
From: Dan Hanson <address@hidden>
To: address@hidden
Subject: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
 (fwd)
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by tarsus.cisto.com id 
BAA22748
X-UIDL: 631a983f5566141fc7c18452a7432491

I am forwarding this as it may impact people whom depend on MSN or
passport systems for business reasons. Contrary to what at
least one of the full-disclosure follow-ups reports, it does work.

D

- ---------- Forwarded message ----------
Date: Wed, 7 May 2003 19:50:51 -0700 (PDT)
From: Muhammad Faisal Rauf Danka <address@hidden>
To: address@hidden
Subject: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability

Hotmail & Passport (.NET Accounts) Vulnerability

There is a very serious and stupid vulnerability or badcoding in Hotmail / 
Passportâs (.NET Accounts)

I tried sending emails several times to Hotmail / Passport contact addresses, 
but always met with the NLP bots.

I guess I donât need to go in details of how cruical and important Hotmail / 
Passportâs .NET Account passport is to anyone.

You name it and they have it, E-Commerce, Credit Card processing, Personal 
Emails, Privacy Issues, Corporate Espionage, maybe stalkers and what not.

It is so simple that it is funny.

All you got to do is hit the following in your browser:

https://register.passport.net/emailpwdreset.srf?lc=1033&address@hidden&id=&cb=&address@hidden&rst=1

And youâll get an email on address@hidden asking you to click on a url 
something like this:

http://register.passport.net/EmailPage.srf?EmailID=CD4DC30B34D9ABC6&URLNum=0&lc=1033

>From that url, you can reset the password and I donât think I need to say 
>anything more about it.

Vulnerability / Flaw discovered         :       12th April 2003
Vendor / Owner notified         :       Yes (as far as emailing them more than 
10 times is concerned)

Regards
- --------
Muhammad Faisal Rauf Danka

_____________________________________________________________
- ---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
- ---------------------------

_____________________________________________________________
Select your own custom email address for FREE! Get address@hidden w/No Ads, 
6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

- ----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
- ----------------------------------------------------------------------------
------- End of forwarded message -------

------- Start of forwarded message -------
Date: Wed, 7 May 2003 23:17:55 -0600 (MDT)
From: Dan Hanson <address@hidden>
To: address@hidden
Subject: followup to the MSN hotmail and .Net passport change post
X-UIDL: d7967229a449dcf1f46ce86a5cf70669

There are differing reports on the effectiveness of this attack. Our
testing here indicates that an older hotmail account is vulnerable, but a
newer one is not. It is unclear what the difference is, other than when
the account was created.

- ---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
- ---------------------------------------------------------------------------

------- End of forwarded message -------

[Prev in Thread]

Current Thread

[Next in Thread]

address@hidden: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability (fwd)], Norbert Bollow <=

Prev by Date: Re: [DotGNU]pnetcurses
Next by Date: Re: [DotGNU]DotGNU Manifesto - last call for objections or concerns
Previous by thread: [DotGNU]pnetcurses
Next by thread: [DotGNU]DEVELOPERS NEEDED : Xml re-design & refactor ideas ...
Index(es):
- Date
- Thread