lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: nc at stormvault.net (Nicolas Couture)
Subject: Hotmail & Passport (.NET Accounts) Vulnerability

This vulnerability in Microsoft's .NET passports has been fixed several 
months ago, read the thread correctly at 
http://marc.theaimsgroup.com/?t=105236474000001&r=1&w=2 
<http://marc.theaimsgroup.com/?t=105236474000001&r=1&w=2> .
 
I personally tried it and it will only work it the first email address 
in URL is the same as the second email address so I wouldn't call that a 
vulnerability since only the owner of the address in question can apply 
this methode to get his password back and it is totally useless if you 
forgotten your password because you need to have access to the incoming 
mail box of the address you're trying to change the password.

http://www.microsoft.com/security/passport_issue.asp

    I am forwarding this as it may impact people whom depend on MSN or
    passport systems for business reasons. Contrary to what at
    least one of the full-disclosure follow-ups reports, it does work.
     
    ---------- Forwarded message ----------
    Subject: [Full-Disclosure] Hotmail & Passport (.NET Accounts)
    Vulnerability



Powered by blists - more mailing lists