[24234] in bugtraq
Re: MSN contact list disclosure
daemon@ATHENA.MIT.EDU (Tom McAdam)
Mon Feb 11 12:49:55 2002
Date: Sun, 10 Feb 2002 10:28:41 +0000 (GMT)
From: Tom McAdam <tomc@future-i.com>
To: Tom Micklovitch <h_bugtraq@yahoo.com>
Cc: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
In-Reply-To: <20020208100438.19965.qmail@web20303.mail.yahoo.com>
Message-ID: <Pine.LNX.4.20L2.0202101022140.5283-100000@budvar.future-i.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Fri, 8 Feb 2002, Tom Micklovitch wrote:
> Exploit:
>
> Register an account for MSN messenger, make some contact email
> addresses, leave the account for 31 days. On a different machine (to
> ensure there's no cache), go to the sign up section of MSN messenger,
> sign up again, using the same screen name. You'll be able to see the
> previous user's contact list.
>
> -- snip --
This issue was initially reported back in August 2000 to Bugtraq [1] by
James Nelson
Microsoft did respond [2] but must've decided it wasn't an issue... all
those lovely graphical updates to make Messenger look pretty were
obviously deemed more important.
[1] http://www.securityfocus.com/archive/1/76183
[2] http://www.securityfocus.com/archive/1/76388
