Full Disclosure mailing list archives

Re: Hotmail & Passport (.NET Accounts)


From: Darren Reed <avalon () caligula anu edu au>
Date: Fri, 9 May 2003 23:09:27 +1000 (Australia/ACT)

In some mail from adf--at--Code511.com, sie said:

Is it me or ms never credit vulnerabilities according to
http://www.microsoft.com/security/passport_issue.asp  "a report was
published detailing a security vulnerability(...)"? No more details or
credit.

And they should because...?  If you ask me, doing this for "fame and
fortune" is really against what i would call traditional hacker ethic.

I also saw online news like http://www.vnunet.com/News/1140757 none
mentioned as it was said in Muhammad's post the issue was discovered,  and
ms warned since 12th April 2003. Meaning it let opened user's account (40 m
users?) open for almost 3 weeks...

that's ms marketting for you!

but if you think "open for almost 3 weeks", think again.

"_KNOWN_ open for almost 3 weeks" is more correct.

if someone had of been less inclined to show off their skills in being
able to reset hotmail passwords, it'd still be unknown and may have
been "in use" for some time before that, if not by that person then
by others.  Will MS tell us?  Not likely.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: