I'm sure you're all familiar with the CERT advisory: http://www.cert.org/advisories/CA-2000-02.html Sprint PCS's web site is vulnerable to this flaw. Any text you enter into the customer care area is subsequently displayed verbatim on a web page: https://www.sprintpcs.com/manage/myaccount.asp To access that page, you must have a sprint PCS account and password. As soon as you post your question, it will appear in your case history -- HTML and all. At this point in time, it is unclear whether Sprint PCS customer service representatives use a web browser to respond to these questions. If this is the case, clever hackers could exploit this vulnerability to gain sensitive information about Sprint PCS, possibly including confidential customer information. There is a similar form for non-customers at: https://www.sprintpcs.com/learn/form_public_question.asp You don't get to see the results yourself, but, again, if Sprint PCS reps use a web browser, their systems could be compromised. Paul
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:29 PDT