[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040129012545.78046.qmail@web20211.mail.yahoo.com>
From: visitbipin at yahoo.com (bipin gautam)
Subject: Unsecure Password recovery policy [Forgot password...] in hotmail!
Explaination:
A person could gain useful info. about
VICTIM@...mail.com that could be used in password
recovery... even by a unlegimate user by simply
"getting a LEGIMATE reply" from VICTIM@...mail.com
;o)
Strange!
Firstly, the simple trick is to make him/her
[whome_he_wanna_hack@...mail.com] just reply you...
WITH ANYTHING! [Maybe... BY ASKING FOR SOMETHING
...Indeed painless!] As soon as the attacker get's a
email reply from VICTIM@...mail.com, the attacker
then simply look's at the email header, & fInd's
VICTIM@...mail.com country's gmt time: through his
email header [ ... which was used by
"VICTIM@...mail.com" while regestering HOTMAIL!]
A TIPICAL HEADER WOULD LOOK LIKE
----------------------------------
X-Originating-IP: [*.*.*.*]
X-Originating-Email: [VICTIM@...mail.com]
Received: from *.*.*.*by lw10fd.law10.hotmail.msn.com
with HTTP;Wed, 13 Aug 2003 13:40:38 +5:45 GMT
----------------------------------
Using his grade 3 maths skills, (o: the attacker
could then effectively predict the victims's
country/STATE name [ ... which was used by the
"victim" while regestering HOTMAIL!] just by knowing
his +/- **:** GMT through the email header! of
VICTIM@...mail.com
This info. could be very effectively used in Password
recovery policy of hotmail!
Well, after about 40% of the holygrain OBTAINED!
........ All the attacker now have to do is guess a
simple/'SENSIBLE' secret answer [most of the time...]
before he get's full control of VICTIM@...mail.com
INBOX!
________________________________________________________
Microsoft REPLIED me, pointing out ... about a SUPPOSE
TO BE similar issue!
[quote] ->3'rd para. LAST LINE!
http://www.informationweek.com/story/showArticle.jhtml?articleID=10817862
If the attacker knew the victim's E-mail address and
basic geographic location information, accounts would
be at risk, the advisory stated.
[/quote]
[quote] -> 4'th para.
The vulnerability appears to be minor, says John
Pescatore, research director at Gartner. The fact that
an attacker would have to enter city, state, and ZIP
code information to exploit the security hole would
have prevented widespread automated identity theft, he
says. "It would generally prevent automated attacks
and at least require me to know two pieces of data
about a target E-mail account," he says.
[/quote]
well i read the issue! but MARK THAT, ....... i
submitted you a technique to predict the
country/state by which it could pe predicted!!! ...
Isn't the word... "MAY BE.. if" and "this is how..."
different???
___________________________________________
wHAT DO YOU SAY, guys?
__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
Powered by blists - more mailing lists