RE: Folllow-up to the Hotmail/MSN password reset problems

["Dowling, Gabrielle" <dowlingg () sullcrom com>]

What you are suggesting is significantly different from what our TAM told us today, which was that they don't have a 
way to detect compromised accounts (in response to my explicit question about that).  I believe they can only restore 
compromised accounts.

Further, it was not generally described that email accounts could have been accessed through this vulnerability, but 
certainly they were exposed since the password is the same.

The shutdown of the link prevents any new compromises, but I don't get how that is reason to shut down this thread.   
This appears to be the most critical vulnerability in recent times, and appears to destroy any credibility in the 
passport initiative.

Gaby

 -----Original Message-----
From:   Dan Hanson
Sent:   Thu May 08 19:33:33 2003
To:     incidents () securityfocus com
Subject:        Folllow-up to the Hotmail/MSN password reset problems

As many of you have noted, this was fixed shortly after it was posted to
this list. Microsoft also appears to have locked out any accounts of
people whom they feel may have been affected by this, therefore anyone
who "tested" on their own account can expect that their old and new
passwords will not work.

Most of the information is on many news sites or channels. As such, this
thread can be considered dead.


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network 
security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  The two-day Briefings on May 14-15 features 
24 top speakers with no vendor sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------



**********************************************************************
This e-mail is sent by a law firm and contains information
that may be privileged and confidential. If you are not the 
intended recipient, please delete the e-mail and notify us 
immediately. 
***********************************************************************


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------