RE: Folllow-up to the Hotmail/MSN password reset problems

[Dan Hanson <dhanson () securityfocus com>]

Hi Gaby,

Thanks for the information. While my intention was not to shut down all
discussion on the implications of the vulnerability, and the impact it
might have on networks, but the context of the follow-up posts were
primarily reports of success of failure in the procedure described.

Any posts that take a new tack from what has been discussed in this thread
are welcome.

D


On Fri, 9 May 2003, Dowling, Gabrielle wrote:

> What you are suggesting is significantly different from what our TAM
> told us today, which was that they don't have a way to detect
> compromised accounts (in response to my explicit question about that).
> I believe they can only restore compromised accounts.
>
> Further, it was not generally described that email accounts could have
> been accessed through this vulnerability, but certainly they were
> exposed since the password is the same.
>
> The shutdown of the link prevents any new compromises, but I don't get
> how that is reason to shut down this thread.  This appears to be the
> most critical vulnerability in recent times, and appears to destroy any
> credibility in the passport initiative.
>
> Gaby
>
>  -----Original Message-----
> From:         Dan Hanson
> Sent: Thu May 08 19:33:33 2003
> To:   incidents () securityfocus com
> Subject:      Folllow-up to the Hotmail/MSN password reset problems
>
> As many of you have noted, this was fixed shortly after it was posted to
> this list. Microsoft also appears to have locked out any accounts of
> people whom they feel may have been affected by this, therefore anyone
> who "tested" on their own account can expect that their old and new
> passwords will not work.
>
> Most of the information is on many news sites or channels. As such, this
> thread can be considered dead.
>
>
> ----------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network 
> security experts.  The two-day
> Training features 6 hand-on courses on May 12-13 taught by professionals.  The two-day Briefings on May 14-15 
> features 24 top speakers with no vendor sales pitches.  Deadline for the best rates is April 25.  Register today to
> ensure your place. http://www.securityfocus.com/BlackHat-incidents
> ----------------------------------------------------------------------------
>
>
>
> **********************************************************************
> This e-mail is sent by a law firm and contains information
> that may be privileged and confidential. If you are not the
> intended recipient, please delete the e-mail and notify us
> immediately.
> ***********************************************************************

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------