lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040318074550.24584.qmail@www.securityfocus.com>
Date: 18 Mar 2004 07:45:50 -0000
From: Stacy Martin <trust@...xo.com>
To: bugtraq@...urityfocus.com
Subject: Re: PLAXO: is that a cure or a disease?


In-Reply-To: <200403121752.i2CHqK8A028679@...187.megawebservers.com>

Thanks for the report.  This problem was fixed within hours of the original post on 3/12/04.  

While not diminishing the seriousness of the report, the impact of this vulnerability required the malicious user to already be in the Plaxo user's address book and to have received a Plaxo Update Request from the victim.  A security review of all Plaxo accounts showed no one besides the reporting user had found this problem and therefore no other Plaxo member's data was impacted.  

But nevertheless, since 3/12, we've made a number of additional changes and enhancements to our service in order to minimize the occurance of these types of problems again.

We appreciate the assistance in finding this and we encourage people to continue to bang on Plaxo.  We only ask that if there is a next time, you give us time to develop a fix before telling truly malicious users.






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ