Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Skype account + IM history hijack vulnerability
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Thu, 15 Nov 2012 16:45:29 +1300

Benji wrote:

Oracle attacks?

See into the future?
Padding oracle attacks?
Oracle SQL injections?

You noobs...


(Don't get too tied up in the crypto stuff in that article.)

klondike's point is that simply monitoring the response of the "user X 
wants to change their password" web-form tells you whether there is, in 
fact, a user named "X" on the system.  That's kinda obvious from the 
bash script klondike provided, and I don't do bash...


Nick FitzGerald

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]