* Trey Valenta <treyat_private> [020109 18:35]: > myvoicestream.com allows VoiceStream Wireless customers to manage their > phones and billing accounts over SSL. Access controls to sessions are You missed the worst of it: If you go to the 'update profile' page and view source, you can see the currently set password. (Web authors: please stop doing this, please leave those blank, please require reauthentication when resetting passwords. I've found another site today apart from that that I just notified the vendor of...) Thus: you can hijack a session and gain a potentially re-used common password and compromise a persons other accounts with that gained information. -- Scott Dier <diemanat_private> http://www.ringworld.org/ the desire for space travel is a metaphor for escape
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 20:09:34 PST