On Tue, 09 Nov 2004 19:40:08 +0000, CÃsar Renà Vega GarcÃa <[EMAIL PROTECTED]> wrote: > > > > > :Hotmail & Passport (.NET Accounts) Vulnerability > > There is a very serious and stupid vulnerability or badcoding in Hotmail / > PassportÃââs (.NET > Accounts) > > I tried sending emails several times to Hotmail / Passport contact > addresses, but always met > with the NLP bots. > > I guess I donÃâât need to go in details of how cruical and important > Hotmail > / PassportÃââs > .NET Account passport is to anyone. > > You name it and they have it, E-Commerce, Credit Card processing, Personal > Emails, Privacy Issues, > Corporate Espionage, maybe stalkers and what not. > > It is so simple that it is funny. > > All you got to do is hit the following in your browser: > > https://register.passport.net/emailpwdreset.srf?lc=1033&am! > p;[EMAIL PROTECTED]&id=&cb=&[EMAIL PROTECTED]&rst=1 > > And youÃââll get an email on [EMAIL PROTECTED] asking you to click on a > url something like > this: > > http://register.passport.net/EmailPage.srf?EmailID=CD4DC30B34D9ABC6&URLNum=0&lc=1033 > > >From that url, you can reset the password and I donÃâât think I need to > >say > anything more about > it. > > Vulnerability / Flaw discovered : 12th April 2003 > Vendor / Owner notified : Yes (as far as emailing them more than 10 times is > concerned) > > > Regards > -------- > Muhammad Faisal Rauf Danka > ________________________________ > T1msn Search. Todo lo que buscas ahora mÃs rÃpido Haz clic aquà > _______________________________________________ Full-Disclosure - We believe > in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
I assume you used [EMAIL PROTECTED] ? And you have found this since 2003 and wanted to tell someone. Lame excuse dude. If e-mail fails (which is unlikely if you use the correct address, which isnt hard to find via search engines) then you can -easily- phone up microsoft and make them aware and ask to be redirected to the security team, or ask the switch board for the correct e-mail or the e-mail of an employee. I'm sorry but it didn't wash that you tried every avenue of contact before disclosing this vulnerability a year later, via a security mailing list. It sounds more like a kids excuse for smashing a window or getting caught stealing candy from a store. Further remarks on this are welcome... Thanks, n3td3v I'm a security enthusiast My forum can be reached via a geocities address http://www.geocities.com/n3td3v for off-thread feedback and comments. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html