Bugtraq mailing list archives
Re: MSN contact list disclosure
From: Tom McAdam <tomc () future-i com>
Date: Sun, 10 Feb 2002 10:28:41 +0000 (GMT)
On Fri, 8 Feb 2002, Tom Micklovitch wrote:
Exploit: Register an account for MSN messenger, make some contact email addresses, leave the account for 31 days. On a different machine (to ensure there's no cache), go to the sign up section of MSN messenger, sign up again, using the same screen name. You'll be able to see the previous user's contact list. -- snip --
This issue was initially reported back in August 2000 to Bugtraq [1] by James Nelson Microsoft did respond [2] but must've decided it wasn't an issue... all those lovely graphical updates to make Messenger look pretty were obviously deemed more important. [1] http://www.securityfocus.com/archive/1/76183 [2] http://www.securityfocus.com/archive/1/76388
Current thread:
- MSN contact list disclosure Tom Micklovitch (Feb 08)
- RE: MSN contact list disclosure Geoff Sweet (Feb 10)
- Re: MSN contact list disclosure Tom McAdam (Feb 11)