RE: address.com: email vulnerability

[Robert Ellis <REllis () excel com>]

        I spoke to a responsive person at address.com, and they were very
concerned. Address.com is giving this issue the attention it deserves
(verifying, etc...)

        Responsible full disclosure requires that a reasonable attempt is
made to inform the company of an issue and give them time to respond before
disclosing the vulnerability publically. I had no problem finding a
responsive person to inform of this issue. It's likely that the researcher
ran into a support policy and an uncooperative or unaware support person. In
my opinion, the researcher's responsibility requires a stronger attempt to
notify a vendor.

        The company was not given a chance to respond, and the user base may
have been exposed to a greater threat through early disclosure. In an
environment where full disclosure is being labeled as part of 'information
anarchy' by an unethical vendor's propaganda, mishaps like these endanger
more than individual company and userbase.

Just my opinion.

-----Original Message-----
From: wannabe anonymousplease [mailto:i_wanna_be_anonymous () yahoo com]
Sent: Tuesday, January 08, 2002 8:53 PM
To: bugtraq () securityfocus com
Subject: address.com: email vulnerability


www.address.com has a vulnerability that allows
reading the email of other users. address.com offers,
among other things, free email (similar to
hotmail.com). 

However, the registration allows you to overwrite
existing accounts. If it does, the password is
overwritten, and the new user takes
control of the account (the former user will no longer
know the password).

However, the emails of the former user remain. In
attempting to ask address.com to look into this issue,
I was told they couldn't help because I wasn't a
premium member.



__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/