lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 17 Jun 2005 14:36:55 -0400
From: "Greg Merideth (Forward Technology)" <gmerideth@...wardtechnology.net>
To: <bugtraq@...urityfocus.com>
Subject: Tmobile users site shows other accounts email


This only affects users who access e-mail from their tmobile phones via
the tmobile site and who have configured tmobile with access to their
mail accounts:

Background
-=-=-=-=-=

A client of ours purchased the same phone that we use from Tmobile and
asked us to setup the e-mail connection link that Tmobile provides so he
can access his e-mail on the road from his phone.  After using my laptop
and logging in with his username/password and configuring his e-mail
profile, I left and went back to our office.  I fired up Firefox and
accessed the t-mobile site again this time logging into the site with my
username/password.

When I clicked the "my email" setting, I was shown the e-mail from my
client.  I was able to see and change all of the settings include the
ability to "delete profile from phone" was given.  I was able to read
any and all of the e-mail in his profile.  I logged out and logged back
in again several times with my account just to make sure I was using the
right profile.

What I tried
-=-=-=-=-=-=

I logged out of the Tmobile site, cleared out all cookies from
my.tmobile.com and logged in again, this time, the clients email was not
visible but mine was.  This occurred in both FF and IE so this is cookie
based.

Bad Design
-=-=-=-=-=

It appears that the Tmobile site is using a cookie, *not* based on the
current users login session to control what mailbox the current logged
in user has access to and able to read mail from.

If you use a public terminal to read your e-mail from the t-mobile site,
logging out will not prevent the next person who attempts to login from
viewing any and all of your email.

All of this was duplicated on both FF and IE.

         '''''
        ( o.o )
====oOOO==(_)==OOOo=====================
Greg Merideth
Forward Technology, LLC.
gmerideth@...wardtechnology.net
5912CED0BF361EC23C67F509C6EB5AB49AEAC107
========================================

Powered by blists - more mailing lists