Re: myvoicestream.com vulnerability
From: Scott Dier (dieman@ringworld.org)Date: 01/10/02
- Previous message: Dave Ahmad: "FWD: Sun Microsystems, Inc. Security Bulletin"
- In reply to: Trey Valenta: "myvoicestream.com vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 9 Jan 2002 21:06:34 -0600 From: Scott Dier <dieman@ringworld.org> To: Trey Valenta <trey@anvils.org>
* Trey Valenta <trey@anvils.org> [020109 18:35]:
> myvoicestream.com allows VoiceStream Wireless customers to manage their
> phones and billing accounts over SSL. Access controls to sessions are
You missed the worst of it:
If you go to the 'update profile' page and view source, you can see the
currently set password. (Web authors: please stop doing this, please
leave those blank, please require reauthentication when resetting
passwords. I've found another site today apart from that that I just
notified the vendor of...)
Thus: you can hijack a session and gain a potentially re-used common
password and compromise a persons other accounts with that gained
information.
-- Scott Dier <dieman@ringworld.org> http://www.ringworld.org/the desire for space travel is a metaphor for escape
- application/pgp-signature attachment: stored
- Previous message: Dave Ahmad: "FWD: Sun Microsystems, Inc. Security Bulletin"
- In reply to: Trey Valenta: "myvoicestream.com vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
