lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: nc at stormvault.net (Nicolas Couture) Subject: Hotmail & Passport (.NET Accounts) Vulnerability This vulnerability in Microsoft's .NET passports has been fixed several months ago, read the thread correctly at http://marc.theaimsgroup.com/?t=105236474000001&r=1&w=2 <http://marc.theaimsgroup.com/?t=105236474000001&r=1&w=2> . I personally tried it and it will only work it the first email address in URL is the same as the second email address so I wouldn't call that a vulnerability since only the owner of the address in question can apply this methode to get his password back and it is totally useless if you forgotten your password because you need to have access to the incoming mail box of the address you're trying to change the password. http://www.microsoft.com/security/passport_issue.asp I am forwarding this as it may impact people whom depend on MSN or passport systems for business reasons. Contrary to what at least one of the full-disclosure follow-ups reports, it does work. ---------- Forwarded message ---------- Subject: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
Powered by blists - more mailing lists