| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <E403E1F7D72AD6119F2000A0C9E9856CC91917@OCORPNT> Date: Fri, 27 Jun 2003 19:00:24 -0500 From: "Victor Manuel Alvarez Castro [oc]" <valvarez@...ther.com> To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org Subject: [VulnDiscuss] Hotmail (Accounts) Vulnerability Hotmail (Accounts) Vulnerability I've tried to contact Microsoft support for Hotmail and Passport via e-mail several times, but haven't received a response from them. First before you can get access to the Secret Question page, you must choose a Country match for the account, that's not the hard part. Isn't it? Well, this problem appears to be due to an error in code used to handle new accounts and only affects accounts for which the "Secret Question" for password recovery has not been set. An account for which no secret password exists can be modified by other users by entering a new password. It's easily identifiable because the Secret Question field will be titled like "notset" let the Secret Answer in blank and then set a new password for the account, effectively giving you control of the account. Hotmail has a couple of years with this Secret Question validation (before this validation was not obligatory), kind of old and a lot accounts exists with this flaw. Best Regards Victor Manuel Alvarez Castro (Birttok) [valvarez@...ther.com] Security Consultant Greets to [RaFa] from Scientech de Venezuela Also www.cpiu.us for their great noble support PD. (if somebody needs an example please send me an email) <<...OLE_Obj...>>
Powered by blists - more mailing lists