[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
From: Nicolas Couture <nc@xxxxxxxxxxxxxx>
Date: Sun, 07 Sep 2003 17:25:33 -0700

This vulnerability in Microsoft's .NET passports has been fixed several months ago, read the thread correctly at http://marc.theaimsgroup.com/?t=105236474000001&r=1&w=2 <http://marc.theaimsgroup.com/?t=105236474000001&r=1&w=2> .

I personally tried it and it will only work it the first email address in URL is the same as the second email address so I wouldn't call that a vulnerability since only the owner of the address in question can apply this methode to get his password back and it is totally useless if you forgotten your password because you need to have access to the incoming mail box of the address you're trying to change the password.

http://www.microsoft.com/security/passport_issue.asp

I am forwarding this as it may impact people whom depend on MSN or passport systems for business reasons. Contrary to what at least one of the full-disclosure follow-ups reports, it does work. ---------- Forwarded message ---------- Subject: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: SV: [Full-Disclosure] Subject prefix changing! READ THIS! SURVEY!!
Next by Date: RE: [Full-Disclosure] BAD NEWS: Microsoft Security Bulletin MS03-032
Previous by thread: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
Next by thread: [Full-Disclosure] [SECURITY] [DSA-376-2] New exim packages fix incorrect permissions on documentation
Index(es):
- Date
- Thread