| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3F5BCC7D.5080001@stormvault.net>
From: nc at stormvault.net (Nicolas Couture)
Subject: Hotmail & Passport (.NET Accounts) Vulnerability
This vulnerability in Microsoft's .NET passports has been fixed several
months ago, read the thread correctly at
http://marc.theaimsgroup.com/?t=105236474000001&r=1&w=2
<http://marc.theaimsgroup.com/?t=105236474000001&r=1&w=2> .
I personally tried it and it will only work it the first email address
in URL is the same as the second email address so I wouldn't call that a
vulnerability since only the owner of the address in question can apply
this methode to get his password back and it is totally useless if you
forgotten your password because you need to have access to the incoming
mail box of the address you're trying to change the password.
http://www.microsoft.com/security/passport_issue.asp
I am forwarding this as it may impact people whom depend on MSN or
passport systems for business reasons. Contrary to what at
least one of the full-disclosure follow-ups reports, it does work.
---------- Forwarded message ----------
Subject: [Full-Disclosure] Hotmail & Passport (.NET Accounts)
Vulnerability
Powered by blists - more mailing lists