Re: Hotmail & Passport (.NET Accounts) Vulnerability

[Nicolas Couture <nc () stormvault net>]

This vulnerability in Microsoft's .NET passports has been fixed several 
months ago, read the thread correctly at 
http://marc.theaimsgroup.com/?t=105236474000001&r=1&w=2 
<http://marc.theaimsgroup.com/?t=105236474000001&r=1&w=2> .

I personally tried it and it will only work it the first email address 
in URL is the same as the second email address so I wouldn't call that a 
vulnerability since only the owner of the address in question can apply 
this methode to get his password back and it is totally useless if you 
forgotten your password because you need to have access to the incoming 
mail box of the address you're trying to change the password.

http://www.microsoft.com/security/passport_issue.asp

   I am forwarding this as it may impact people whom depend on MSN or
   passport systems for business reasons. Contrary to what at
   least one of the full-disclosure follow-ups reports, it does work.
    
   ---------- Forwarded message ----------
   Subject: [Full-disclosure] Hotmail & Passport (.NET Accounts)
   Vulnerability


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html