BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Dataloss] Eloqua, subscription manager for VMWare, leaks customer info

From: Dennis Dayman <dennis-lists () thenose net>
Date: Fri, 15 Apr 2011 14:37:46 -0500
Hey folks,

        I'm with Eloqua and their CSO. I am more than happy to answer anything here. We are addressing this with the 
customer and ensuring they can't "stab" themselves in the foot again. We have or are making changes to our look-up to 
prevent this in the future.

-Dennis


---------- Forwarded message ----------
From: security curmudgeon <jericho () attrition org>
Date: Thu, Apr 14, 2011 at 1:23 AM
Subject: [Dataloss] Eloqua, subscription manager for VMWare, leaks customer info
To: dataloss-discuss () datalossdb org, dataloss () datalossdb org

http://andrewmohawk.com/2011/04/13/vmware-user-information-leak/

VMWare User Information Leak
This entry was posted on Apr 13 2011

Click here to search the VMWare user database!

So last week some time Chris Hadnagy linked me to the following URL:
http://info.vmware.com/content/opt-out which was pretty interesting last
week. Basically it allowed someone to full in their email address to
manage their VMWare subscriptions, i noticed a couple of things from the
next pages:

    * The fields auto populated with details like Name, Phone Number etc
(i know, without auth and only an email address . worriedface)
    * Another tab became available that allowed you to update your details
. again, no auth, scary

So i whipped out the good old firebug and started looking through the ajax
calls till i came across this little gem:

[..]

http://www.andrewmohawk.com/VMWareScraper/

VMWare/Eloqua leaks your info!

Basically Eloqua (the subscription guys for VMWare) are leaking customer
info via svrGP.aspx, discovered by Chris Hadnagy and Andrew MacPherson

Thanks,
Andrew MacPherson
(andrew () andrewmohawk com)

Email Address
[                  ]
/Search for Info!/


_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/
Previous By Date Next
Previous By Thread Next

Current thread: