| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 29 Jul 2007 12:50:11 -0500 From: MadHat Unspecific <madhat@...pecific.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: MySpace e-mail importer rasies security concerns Kristian Hermansen wrote: > On 7/29/07, "HACK THE GOV" <hackthegov@...glemail.com> wrote: >> "we've recently noticed the functionality of myspace in respect of the >> e-mail importer raises privacy and security concerns. > > Yea, it would be a dumb idea to use that feature. Although, if you > really really really want to use it, it would be wise to temporarily > change your password, use the feature, and then set it back to > minimize the abuse potential. Still a bad idea. > > LinkedIn also has this functionality... > https://www.linkedin.com/secure/uploadContacts?displayWebMail=&trk=inv_webmail > Facebook, Spock and several other sites are implementing this type of 'feature'. It is interesting to see how people are willing to give someone their password. I sent a message to the local DC214 group about this not too long ago[1]. One member responded with a story of financial website that used a similar method to verify your bank account (optional) by giving the login credentials of your bank account on the bank's website. [1] the original email I sent, nothing too interesting: I recently started looking at Facebook and Spock as online services. I was curious what they offered and how they were different from other services. One of the things I found interesting about both is that both offered, or forced (if you want to use their service), to log into other online services for you and scrape the data from that other services. Both offer some way of importing address book from mail applications or address books. On each you were asked to give the login and pass for services such as yahoo, gmail, myspace, hotmail, etc... and then the service would log in and get a copy of your address book or other details you had entered and replicate the data or offer to "spam" your contacts with invites to the new service. You have no way to know if these credentials are being stored or if they are using ssl or what the network landscape is like between the 2 services. Personally I expect those accounts to be compromised and use throwaway passwords on them, so I can play with each of these services. It's not like I saw anything revolutionary in any of them, but I found the idea of trusting them to have the credentials to so many other online services interesting and why people would be willing to give them up (other than stupidity and 'sheeple-ness'). -- MadHat (at) Unspecific.com, CĀ²ISSP E786 7B30 7534 DCC2 94D5 91DE E922 0B21 9DDC 3E98 gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists