It did reset. ----- Original Message ----- From: "Christopher F. Herot" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, May 08, 2003 12:05 PM Subject: RE: [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability
> > I just tried this. It does indeed generate the "reset password" email > and link, which is scary, but following the instructions does not really > reset the password, at least not for the limited test I performed. > > > > -----Original Message----- > > From: Muhammad Faisal Rauf Danka [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, May 07, 2003 10:51 PM > > To: [EMAIL PROTECTED] > > > > Hotmail & Passport (.NET Accounts) Vulnerability > > > > There is a very serious and stupid vulnerability or badcoding in > Hotmail / Passport's (.NET > > Accounts) > > > > I tried sending emails several times to Hotmail / Passport contact > addresses, but always met with > > the NLP bots. > > > > I guess I don't need to go in details of how cruical and important > Hotmail / Passport's .NET > > Account passport is to anyone. > > > > You name it and they have it, E-Commerce, Credit Card processing, > Personal Emails, Privacy Issues, > > Corporate Espionage, maybe stalkers and what not. > > > > It is so simple that it is funny. > > > > All you got to do is hit the following in your browser: > > > > > https://register.passport.net/emailpwdreset.srf?lc=1033&[EMAIL PROTECTED] > l.com&id=&cb=&prefem=attac > > [EMAIL PROTECTED]&rst=1 > > > > And you'll get an email on [EMAIL PROTECTED] asking you to click > on a url something like this: > > > > > http://register.passport.net/EmailPage.srf?EmailID=CD4DC30B34D9ABC6&URLN > um=0&lc=1033 > > > > From that url, you can reset the password and I don't think I need to > say anything more about it. > > > > Vulnerability / Flaw discovered : 12th April 2003 > > Vendor / Owner notified : Yes (as far as emailing > them more than 10 times is concerned) > > > > > > Regards > > -------- > > Muhammad Faisal Rauf Danka > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
