[<prev] [next>] [day] [month] [year] [list]
Message-ID: <422B33229C7D3D4A9E4078FE3A9B5F83DD3A@corp2-ex-nj.forwardtechnology.net>
Date: Fri, 17 Jun 2005 14:36:55 -0400
From: "Greg Merideth (Forward Technology)" <gmerideth@...wardtechnology.net>
To: <bugtraq@...urityfocus.com>
Subject: Tmobile users site shows other accounts email
This only affects users who access e-mail from their tmobile phones via
the tmobile site and who have configured tmobile with access to their
mail accounts:
Background
-=-=-=-=-=
A client of ours purchased the same phone that we use from Tmobile and
asked us to setup the e-mail connection link that Tmobile provides so he
can access his e-mail on the road from his phone. After using my laptop
and logging in with his username/password and configuring his e-mail
profile, I left and went back to our office. I fired up Firefox and
accessed the t-mobile site again this time logging into the site with my
username/password.
When I clicked the "my email" setting, I was shown the e-mail from my
client. I was able to see and change all of the settings include the
ability to "delete profile from phone" was given. I was able to read
any and all of the e-mail in his profile. I logged out and logged back
in again several times with my account just to make sure I was using the
right profile.
What I tried
-=-=-=-=-=-=
I logged out of the Tmobile site, cleared out all cookies from
my.tmobile.com and logged in again, this time, the clients email was not
visible but mine was. This occurred in both FF and IE so this is cookie
based.
Bad Design
-=-=-=-=-=
It appears that the Tmobile site is using a cookie, *not* based on the
current users login session to control what mailbox the current logged
in user has access to and able to read mail from.
If you use a public terminal to read your e-mail from the t-mobile site,
logging out will not prevent the next person who attempts to login from
viewing any and all of your email.
All of this was duplicated on both FF and IE.
'''''
( o.o )
====oOOO==(_)==OOOo=====================
Greg Merideth
Forward Technology, LLC.
gmerideth@...wardtechnology.net
5912CED0BF361EC23C67F509C6EB5AB49AEAC107
========================================
Powered by blists - more mailing lists