Bugtraq mailing list archives

MSN contact list disclosure

From: Tom Micklovitch <h_bugtraq () yahoo com>
Date: Fri, 8 Feb 2002 02:04:38 -0800 (PST)

Exploit:

Register an account for MSN messenger, make some
contact email addresses, leave the account for 31
days. On a different machine (to ensure there's
no cache), go to the sign up section of MSN
messenger, sign up again, using the same screen
name. You'll be able to see the previous user's
contact list.

None of the contacts will have been alerted to
the fact that the new username actully belong to
an entirely different person, so they'll still be
sending messages, and if the new user is a haxor,
(s)he'll be replying just as if (s)he's the
original user.

I alerted Microsoft on monday, and have recieved
no reply. so there. :)

happy hacking.

=====
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12 - www.ebb.org/ungeek/
GIT d--- s--:- a--- C++++ UL++ P+ L+ E--- W+++ N- o-- K- w 
O- M-- V- PS+++ PE-- Y+ PGP++ t+ 5- X+ R tv-- b+ DI++ D+ 
G+ e* h r++ y+++ 
------END GEEK CODE BLOCK------

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

Current thread:

MSN contact list disclosure Tom Micklovitch (Feb 08)
- RE: MSN contact list disclosure Geoff Sweet (Feb 10)
- Re: MSN contact list disclosure Tom McAdam (Feb 11)