| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPgP4gwEqhnV7ER+EmvQMkS8w+7Mb5JM3NFD1Mm9UbO_DDY+Gg@mail.gmail.com> Date: Wed, 24 Oct 2012 09:39:30 -0700 From: warning@...e-error.net To: full-disclosure@...ts.grok.org.uk Subject: LiveChatInc.com breached A while back, LiveChat, Inc was breached via a very simple web exploit. Their customers were never notified to update their password or information. Details: LiveChatInc.com allows businesses to offer chat services intergrated to their web platform. Via the customer's panel, one can reset a password. LiveChatInc.com fail to check input properly and you can reset ANY user account, but also specify your return email for the link. Also work with password set fields. This exploit was used to compromise the actual administrators of LiveChatInc.com and add an admin user that can see ALL ACCOUNTS from ALL THEIR CUSTOMERS. Basically, very bad mojo. There are many more bugs to be found. Go ahead and sign up for a free trial account if you like to verify. Image File Upload, XSS, and CSRF. Maybe they get smarter in the future? https://www.livechatinc.com/signup/ The customers that they didn't notify and may have been attacked using this trust relationship are as follows: * Adobe * Netgear * France Telecom-Orange * Roku * LunarPages * BBB * Bosch * and many more! #warning _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists