RE: MSN contact list disclosure

From: Geoff Sweet (gsweet@worldvision.org)
Date: 02/09/02

• Previous message: Jason Hicks: "Re: Mrtg Path Disclosure Vulnerability"
• In reply to: Tom Micklovitch: "MSN contact list disclosure"
• Next in thread: Tom McAdam: "Re: MSN contact list disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Geoff Sweet" <gsweet@worldvision.org>
To: <bugtraq@securityfocus.com>
Date: Fri, 8 Feb 2002 15:10:05 -0800

I can confirm this. Recently I registered a hotmail account, and when I
logged onto MSN Messenger the first time it was loaded with contacts! A
couple of which began conversing with me at logon. At the time (about 8
weeks ago), I contacted Microsoft to let them know that this had happened.
At this point I have not heard back from them either.

Geoff Sweet
World Vision - Federal Way

-----Original Message-----
From: Tom Micklovitch [mailto:h_bugtraq@yahoo.com]
Sent: Friday, 08 February, 2002 02:05
To: bugtraq@securityfocus.com
Subject: MSN contact list disclosure

Exploit:

Register an account for MSN messenger, make some
contact email addresses, leave the account for 31
days. On a different machine (to ensure there's
no cache), go to the sign up section of MSN
messenger, sign up again, using the same screen
name. You'll be able to see the previous user's
contact list.

None of the contacts will have been alerted to
the fact that the new username actully belong to
an entirely different person, so they'll still be
sending messages, and if the new user is a haxor,
(s)he'll be replying just as if (s)he's the
original user.

I alerted Microsoft on monday, and have recieved
no reply. so there. :)

happy hacking.

=====
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12 - www.ebb.org/ungeek/
GIT d--- s--:- a--- C++++ UL++ P+ L+ E--- W+++ N- o-- K- w
O- M-- V- PS+++ PE-- Y+ PGP++ t+ 5- X+ R tv-- b+ DI++ D+
G+ e* h r++ y+++
------END GEEK CODE BLOCK------

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

---

• Previous message: Jason Hicks: "Re: Mrtg Path Disclosure Vulnerability"
• In reply to: Tom Micklovitch: "MSN contact list disclosure"
• Next in thread: Tom McAdam: "Re: MSN contact list disclosure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: SP2 Messenger invokes Outlook? ... I think a switch to MSN Messenger 6.2 will work ... and use Outlook will find useful now. ... I went to www.microsoft.com and clicked on downloads ... email account and another accountincluding hotmail. ... (microsoft.public.windowsxp.messenger) Re: XP Home no longer saves .NET passport password ... | it from my account and re-add it but no luck. ... The version of MSN Messenger ... Whether or not you are also running Microsoft Windows ... This first document has some information on the Security ... (microsoft.public.windowsxp.general) Re: XP Home no longer saves .NET passport password ... | it from my account and re-add it but no luck. ... The version of MSN Messenger ... Whether or not you are also running Microsoft Windows ... This first document has some information on the Security ... (microsoft.public.windowsxp.basics) Re: XP Home no longer saves .NET passport password ... | it from my account and re-add it but no luck. ... The version of MSN Messenger ... Whether or not you are also running Microsoft Windows ... This first document has some information on the Security ... (microsoft.public.windowsxp.newusers) Re: XP Home no longer saves .NET passport password ... | it from my account and re-add it but no luck. ... The version of MSN Messenger ... Whether or not you are also running Microsoft Windows ... This first document has some information on the Security ... (microsoft.public.windowsxp.help_and_support)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)