Full Disclosure mailing list archives
LiveChatInc.com breached
From: warning () type-error net
Date: Wed, 24 Oct 2012 09:39:30 -0700
A while back, LiveChat, Inc was breached via a very simple web exploit. Their customers were never notified to update their password or information. Details: LiveChatInc.com allows businesses to offer chat services intergrated to their web platform. Via the customer's panel, one can reset a password. LiveChatInc.com fail to check input properly and you can reset ANY user account, but also specify your return email for the link. Also work with password set fields. This exploit was used to compromise the actual administrators of LiveChatInc.com and add an admin user that can see ALL ACCOUNTS from ALL THEIR CUSTOMERS. Basically, very bad mojo. There are many more bugs to be found. Go ahead and sign up for a free trial account if you like to verify. Image File Upload, XSS, and CSRF. Maybe they get smarter in the future? https://www.livechatinc.com/signup/ The customers that they didn't notify and may have been attacked using this trust relationship are as follows: * Adobe * Netgear * France Telecom-Orange * Roku * LunarPages * BBB * Bosch * and many more! #warning _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- LiveChatInc.com breached warning (Oct 26)