lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040129012545.78046.qmail@web20211.mail.yahoo.com>
From: visitbipin at yahoo.com (bipin gautam)
Subject: Unsecure Password recovery policy [Forgot password...] in hotmail!

Explaination:

A person could gain useful info. about
VICTIM@...mail.com that could be used in password
recovery... even by a unlegimate user by simply
"getting a LEGIMATE reply"  from VICTIM@...mail.com 
;o) 
Strange!
Firstly, the simple trick is to make him/her 
[whome_he_wanna_hack@...mail.com]  just reply you...
WITH ANYTHING! [Maybe... BY ASKING FOR SOMETHING
...Indeed painless!] As soon as the attacker get's a
email  reply from VICTIM@...mail.com,  the attacker
then simply look's at the email header, & fInd's
VICTIM@...mail.com country's gmt time: through his
email header [ ... which was used by
"VICTIM@...mail.com" while regestering HOTMAIL!]  

A TIPICAL HEADER WOULD LOOK LIKE
----------------------------------
X-Originating-IP: [*.*.*.*] 
X-Originating-Email: [VICTIM@...mail.com] 
Received: from *.*.*.*by lw10fd.law10.hotmail.msn.com
with HTTP;Wed, 13 Aug 2003 13:40:38 +5:45 GMT
----------------------------------
Using his grade 3 maths skills, (o:  the attacker
could then effectively predict the victims's
country/STATE name [ ... which was used by the
"victim" while regestering HOTMAIL!] just by knowing
his +/- **:** GMT through the email header! of
VICTIM@...mail.com
This info. could be very effectively used in Password
recovery policy of hotmail!
Well, after about 40% of the holygrain OBTAINED! 
........ All the attacker now have to do is guess a
simple/'SENSIBLE' secret answer [most of the time...]
before he get's full control of VICTIM@...mail.com
INBOX!
________________________________________________________
Microsoft REPLIED me, pointing out ... about a SUPPOSE
TO BE similar issue!

[quote] ->3'rd para. LAST LINE!

http://www.informationweek.com/story/showArticle.jhtml?articleID=10817862
If the attacker knew the victim's E-mail address and
basic geographic location information, accounts would
be at risk, the advisory stated. 
[/quote]

[quote] -> 4'th para.
The vulnerability appears to be minor, says John
Pescatore, research director at Gartner. The fact that
an attacker would have to enter city, state, and ZIP
code information to exploit the security hole would
have prevented widespread automated identity theft, he
says. "It would generally prevent automated attacks
and at least require me to know two pieces of data
about a target E-mail account," he says. 
[/quote]


well i read the issue! but MARK THAT, ....... i
submitted you a  technique to predict the
country/state by which it could pe predicted!!! ... 

Isn't the word... "MAY BE.. if" and "this is how..."
different???
___________________________________________
wHAT DO YOU SAY, guys?

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ