Full Disclosure mailing list archives

Re: TrueCaller Vulnerability Allows Changing Users Details


From: Q8WhiteHat <q8whitehat () gmail com>
Date: Wed, 6 Jun 2012 23:42:19 +0300

They can encrypt the post parameters (address book) as they're sent. Just like the HTTP GET requests used to search for 
numbers.

--
Q8WhiteHat.org

On Jun 6, 2012, at 11:36 PM, doc mombasa wrote:

Yes and how would you mitigate that?
Its not possible to validate the data as they donthave any pre existing knowledge about your address book

2012/6/5 Kuwait WhiteHat <q8whitehat () gmail com>
Well, using SSL will solve the privacy issues which involves having a 3rd party sniff the traffic and reconstruct a 
database of users address books as outlined here 
http://q8whitehat.org/truecaller-vulnerability-allows-changing-users-name/
However, it doesnt solve other problems such as the ability to change database entries or submitting fake data.

On Jun 5, 2012 5:16 PM, "doc mombasa" <doc.mombasa () gmail com> wrote:
the only "vulnerability" here is not using https?
.

2012/6/4 Григорий Братислава <musntlive () gmail com>
Paranoia. Thor I is always publicly share contacts:

Adrian Lamo
c/o DMH Vacavill Psychiatric Hospital
Vacavill, CA
(707) 449-6504

Hector Monsegur
(480) 948-6377
ADDRESS IS WITHOLD

John Paul (JP)
594 3rd St
Beaver PA
www.inspirosity.com (is Out of business moved into is Gay porn)

Jesse Tuttle
(http://enquirer.com/editions/2003/07/28/hacker_zoom.jpg)
(480) 948-6377
ADDRESS IS WITHOLD

Gary McKinnon
PSC 1005
Box 25 FPO AE / Cellblock 42
Guantanamo Bay 09593

AS (is in case I am too arrested)
4340 East West Hwt Suite 350
Bethesda MD

Has nothing to hid.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread: