lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <004601c31b18$8bf35150$6401a8c0@rms>
From: rms at computerbytesman.com (Richard M. Smith)
Subject: An expired domain name equals identity theft via email

The artcile article describes an interesting hack involving intercepting
email messages being sent to expired domain names.  My take is that this
issue is more of a glitch in the domain registration system and not so
much an eBay security issue.  For example, MSN, Amazon, and Yahoo are
other places the bad guys could use email addresses from an expired
domain to gain access to Web site accounts.
 
Richard M. Smith
http://www.ComputerBytesMan.com

=======================================
 
http://www.auctionbytes.com/cab/abn/y03/m05/i15/s01

Auctionbytes-NewsFlash, Number 538 - May 15, 2003 - ISSN 1539-5065 
Expired Domains Expose EBay Security Glitch
By David Steiner
May 15, 2003  

....

The second eBay log-in vulnerability was discovered this week by
AuctionBytes and confirmed by two Internet security experts.

AuctionBytes purchased a domain name that had recently become available
after its original owner let the registration expire. After activating
the domain and setting up a mailbox, AuctionBytes began to receive
hundreds of Spam messages addressed to former employees of the site -
over 20 different email addresses in all. 

Copying and pasting some of these email addresses into eBay's "Search by
Seller" search box, allowed AuctionBytes to pull up IDs of people who
had previously worked for the Site originally owning the domain name.
These employees had never bothered to change their contact email address
on eBay when the company dissolved. 

Although AuctionBytes did not attempt to hack into any of the idle
accounts, it was evident that it would be easy to gain access to the
account by using the "send me a new password" feature, since we now
owned the domain where all emails would be sent. Once a new password is
sent to the "expired" email address, the recipient is verified and able
to access all areas of the account, in effect, "hijacking" the account. 

.....

 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ