Vulnerability Development mailing list archives
Re: MSN messenger service
From: root () RGFSPARC CR USGS GOV (Robert G. Ferrell)
Date: Wed, 19 Apr 2000 11:37:31 -0500
I have noticed that when I check email from the MSN Messenger. MSN Messenger writes a temp file in C:\windows\temp\sfd4080.htm. The contents of that file are below. What I have found is that if that file is saved, you can use it as a redirect to hotmail without using a password. I wonder what a "while true" loop looking in c:\windows\temp\ would be able to capture? Session seems to time out around 5 minutes. When that happens, the "creds" value changes but not the auth.
I haven't done any serious investigation of the mechanism of this, but I've noticed that my MS Outlook 97 (8.02,4212) exhibits similar behavior (albeit in a much smaller time frame). If I log off and log right back on (< 3 or 4 secs), I don't need to reenter my authentication information at all. This doesn't seem like a particularly exploitable vulnerability, but it's worthy of mention, anyway... RGF Robert G. Ferrell, CISSP Information Systems Security Officer National Business Center, US DoI Robert_G_Ferrell () nbc gov ------------------------------------------------------------ Nothing I have ever said should be construed as even vaguely representing an official statement by the NBC or DoI. ------------------------------------------------------------
Current thread:
- Re: MSN messenger service Robert G. Ferrell (Apr 19)