[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
From: n3td3v <xploitable@xxxxxxxxx>
Date: Tue, 9 Nov 2004 22:03:46 +0000

On Tue, 09 Nov 2004 19:40:08 +0000, CÃsar RenÃ Vega GarcÃa
<li_crvgjur1@xxxxxxxxxxx> wrote:
> 
> 
> 
> 
> :Hotmail & Passport (.NET Accounts) Vulnerability
> 
> There is a very serious and stupid vulnerability or badcoding in Hotmail /
> PassportÃââs (.NET
> Accounts)
> 
> I tried sending emails several times to Hotmail / Passport contact
> addresses, but always met
> with the NLP bots.
> 
> I guess I donÃâât need to go in details of how cruical and important 
> Hotmail
> / PassportÃââs
> .NET Account passport is to anyone.
> 
> You name it and they have it, E-Commerce, Credit Card processing, Personal
> Emails, Privacy Issues,
> Corporate Espionage, maybe stalkers and what not.
> 
> It is so simple that it is funny.
> 
> All you got to do is hit the following in your browser:
> 
> https://register.passport.net/emailpwdreset.srf?lc=1033&am!
> p;em=modulohio@xxxxxxxxxxx&id=&cb=&prefem=li_crvgjur1@xxxxxxxxxxx&rst=1
> 
> And youÃââll get an email on attacker@xxxxxxxxxxxx asking you to click 
> on a
> url something like
> this:
> 
> http://register.passport.net/EmailPage.srf?EmailID=CD4DC30B34D9ABC6&URLNum=0&lc=1033
> 
> >From that url, you can reset the password and I donÃâât think I need to 
> >say
> anything more about
> it.
> 
> Vulnerability / Flaw discovered : 12th April 2003
> Vendor / Owner notified : Yes (as far as emailing them more than 10 times is
> concerned)
> 
> 
> Regards
> --------
> Muhammad Faisal Rauf Danka 
> ________________________________
> T1msn Search. Todo lo que buscas ahora mÃs rÃpido Haz clic aquÃ
> _______________________________________________ Full-Disclosure - We believe
> in it. Charter: http://lists.netsys.com/full-disclosure-charter.html 

I assume you used security@xxxxxxxxxxxxx ? And you have found this
since 2003 and wanted to tell someone. Lame excuse dude. If e-mail
fails (which is unlikely if you use the correct address, which isnt
hard to find via search engines) then you can -easily- phone up
microsoft and make them aware and ask to be redirected to the security
team, or ask the switch board for the correct e-mail or the e-mail of
an employee. I'm sorry but it didn't wash that you tried every avenue
of contact before disclosing this vulnerability a year later, via a
security mailing list.

It sounds more like a kids excuse for smashing a window or getting
caught stealing candy from a store.

Further remarks on this are welcome...

Thanks, n3td3v

I'm a security enthusiast

My forum can be reached via a geocities address
http://www.geocities.com/n3td3v for off-thread feedback and comments.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
  - From: KF_lists

References:
- [Full-Disclosure] Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
  - From: César René Vega García

Prev by Date: Re: [Full-Disclosure] EEYE: Kerio Personal Firewall Multiple IP Options Denial of Service
Next by Date: Re: [Full-Disclosure] New MyDoom exploiting IFRAME
Previous by thread: [Full-Disclosure] Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
Next by thread: Re: [Full-Disclosure] Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
Index(es):
- Date
- Thread