[NEWS] MSN Contact List Disclosure

From: support@securiteam.com
Date: 02/11/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 11 Feb 2002 19:54:27 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  MSN Contact List Disclosure
------------------------------------------------------------------------

SUMMARY

A security vulnerability in the way MSN handles deleted accounts has been
discovered. This vulnerability would allow an attacker to impersonate
another user without anyone of his contacts knowing about it.

DETAILS

Exploit:
Register an account for MSN messenger, make some contact email addresses,
leave the account for 31 days. On a different machine (to ensure there is
no cache), go to the sign up section of MSN messenger, sign up again,
using the same screen name. You will be able to see the previous user's
contact list.

None of the contacts will have been alerted to the fact that the new
username actually belongs to an entirely different person, so they'll
still be sending messages, and if the new user is a haxor, (s)he'll be
replying just as if (s)he's the original user.

ADDITIONAL INFORMATION

The information has been provided by <mailto:h_bugtraq@yahoo.com> Tom
Micklovitch.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Risks Digest 25.73
    ... German electronic health card system failure ... Risks of the Cloud: Liquid Motors ... Oakland 2010, IEEE Symposium on Security and Privacy, CFP ... A friend's facebook account was hacked recently (a neat little short-term ...
    (comp.risks)
  • Re: MBSA, Office Update, Versions, Failures
    ... I apologize for posting this to three groups (MBSA, Windows Update, ... with Domain User account. ... Microsoft Baseline Security Advisor (? ... Office 2000 Security Patches - Red X's, ...
    (microsoft.public.officeupdate)
  • Re: write with cURL
    ... you can stop making excuses. ... up an account for you, process the billing, etc. ... possible features from a web site to make up for the security issues. ... Nothing you have told me shows me you know how to lock down a server ...
    (alt.php)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • [NEWS] Vulnerability Enables Passport Account Hijackings (No Secret Question)
    ... Beyond Security in Canada ... to promote the most advanced vulnerability assessment solutions today. ... A newly disclosed vulnerability could enable attackers to reset the ... who needs to reset his account password can be manipulated by attackers on ...
    (Securiteam)