RE: MSN contact list disclosure

["Geoff Sweet" <gsweet () worldvision org>]

I can confirm this.  Recently I registered a hotmail account, and when I
logged onto MSN Messenger the first time it was loaded with contacts!  A
couple of which began conversing with me at logon.  At the time (about 8
weeks ago), I contacted Microsoft to let them know that this had happened.
At this point I have not heard back from them either.

Geoff Sweet
World Vision - Federal Way

-----Original Message-----
From: Tom Micklovitch [mailto:h_bugtraq () yahoo com]
Sent: Friday, 08 February, 2002 02:05
To: bugtraq () securityfocus com
Subject: MSN contact list disclosure


Exploit:

Register an account for MSN messenger, make some
contact email addresses, leave the account for 31
days. On a different machine (to ensure there's
no cache), go to the sign up section of MSN
messenger, sign up again, using the same screen
name. You'll be able to see the previous user's
contact list.

None of the contacts will have been alerted to
the fact that the new username actully belong to
an entirely different person, so they'll still be
sending messages, and if the new user is a haxor,
(s)he'll be replying just as if (s)he's the
original user.

I alerted Microsoft on monday, and have recieved
no reply. so there. :)

happy hacking.

=====
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12 - www.ebb.org/ungeek/
GIT d--- s--:- a--- C++++ UL++ P+ L+ E--- W+++ N- o-- K- w
O- M-- V- PS+++ PE-- Y+ PGP++ t+ 5- X+ R tv-- b+ DI++ D+
G+ e* h r++ y+++
------END GEEK CODE BLOCK------

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com