[NEWS] MSN Contact List Disclosure
From: support@securiteam.comDate: 02/11/02
- Previous message: support@securiteam.com: "[NEWS] Hewlett Packard AdvanceStack Switch Management Authentication Bypass Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 11 Feb 2002 19:54:27 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
MSN Contact List Disclosure
------------------------------------------------------------------------
SUMMARY
A security vulnerability in the way MSN handles deleted accounts has been
discovered. This vulnerability would allow an attacker to impersonate
another user without anyone of his contacts knowing about it.
DETAILS
Exploit:
Register an account for MSN messenger, make some contact email addresses,
leave the account for 31 days. On a different machine (to ensure there is
no cache), go to the sign up section of MSN messenger, sign up again,
using the same screen name. You will be able to see the previous user's
contact list.
None of the contacts will have been alerted to the fact that the new
username actually belongs to an entirely different person, so they'll
still be sending messages, and if the new user is a haxor, (s)he'll be
replying just as if (s)he's the original user.
ADDITIONAL INFORMATION
The information has been provided by <mailto:h_bugtraq@yahoo.com> Tom
Micklovitch.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Hewlett Packard AdvanceStack Switch Management Authentication Bypass Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
