Re: MSN contact list disclosure

From: Tom McAdam (tomc@future-i.com)
Date: Sun Feb 10 2002 - 02:28:41 PST

Next message: Ben Laurie: "Re: Infecting the KaZaA network?"

Previous message: ZeroBreak: "Sybex E-Trainer Directory Traversal Vulnerability"
In reply to: Tom Micklovitch: "MSN contact list disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 8 Feb 2002, Tom Micklovitch wrote:

> Exploit:
> 
> Register an account for MSN messenger, make some contact email
> addresses, leave the account for 31 days. On a different machine (to
> ensure there's no cache), go to the sign up section of MSN messenger,
> sign up again, using the same screen name. You'll be able to see the
> previous user's contact list.
>
> -- snip -- 

This issue was initially reported back in August 2000 to Bugtraq [1] by
James Nelson

Microsoft did respond [2] but must've decided it wasn't an issue... all
those lovely graphical updates to make Messenger look pretty were
obviously deemed more important.


[1] http://www.securityfocus.com/archive/1/76183
[2] http://www.securityfocus.com/archive/1/76388

Next message: Ben Laurie: "Re: Infecting the KaZaA network?"
Previous message: ZeroBreak: "Sybex E-Trainer Directory Traversal Vulnerability"
In reply to: Tom Micklovitch: "MSN contact list disclosure"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 09:40:04 PST