Full Disclosure: Re: Skype account + IM history hijack vulnerability

[Benji <me () b3nji com>]

Hi genius of the year

Sometimes when people argue over the definition of '0day', it is important to be clear. Although the bash script made 
it clear, I have never ever seen someone call 'user enumeration' an 'oracle attack'. Probably because this is 2012 and 
the Matrix hasn't just come out.

Sorry for not knowing non-industry terms used by 1% of the populous you hipster.

Sent from my iPhone

On 15 Nov 2012, at 03:45, "Nick FitzGerald" <nick () virus-l demon co uk> wrote:

> Benji wrote:
>
> > Oracle attacks?
> >
> > See into the future?
> > Padding oracle attacks?
> > Oracle SQL injections?
> You noobs...
>
>   http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917
>
> (Don't get too tied up in the crypto stuff in that article.)
>
> klondike's point is that simply monitoring the response of the "user X 
> wants to change their password" web-form tells you whether there is, in 
> fact, a user named "X" on the system.  That's kinda obvious from the 
> bash script klondike provided, and I don't do bash...
>
>
>
> Regards,
>
> Nick FitzGerald
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/