mailing list archives
From: warning () type-error net
Date: Wed, 24 Oct 2012 09:39:30 -0700
A while back, LiveChat, Inc was breached via a very simple web
exploit. Their customers were never notified to update their password
LiveChatInc.com allows businesses to offer chat services intergrated
to their web platform. Via the customer's panel, one can reset a
password. LiveChatInc.com fail to check input properly and you can
reset ANY user account, but also specify your return email for the
link. Also work with password set fields. This exploit was used to
compromise the actual administrators of LiveChatInc.com and add an
admin user that can see ALL ACCOUNTS from ALL THEIR CUSTOMERS.
Basically, very bad mojo.
There are many more bugs to be found. Go ahead and sign up for a free
trial account if you like to verify. Image File Upload, XSS, and CSRF.
Maybe they get smarter in the future?
The customers that they didn't notify and may have been attacked using
this trust relationship are as follows:
* France Telecom-Orange
* and many more!
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- LiveChatInc.com breached warning (Oct 26)