Bugtraq mailing list archives

Re: MSN contact list disclosure

From: Tom McAdam <tomc () future-i com>
Date: Sun, 10 Feb 2002 10:28:41 +0000 (GMT)

On Fri, 8 Feb 2002, Tom Micklovitch wrote:

Exploit:

Register an account for MSN messenger, make some contact email
addresses, leave the account for 31 days. On a different machine (to
ensure there's no cache), go to the sign up section of MSN messenger,
sign up again, using the same screen name. You'll be able to see the
previous user's contact list.

-- snip --


This issue was initially reported back in August 2000 to Bugtraq [1] by
James Nelson

Microsoft did respond [2] but must've decided it wasn't an issue... all
those lovely graphical updates to make Messenger look pretty were
obviously deemed more important.


[1] http://www.securityfocus.com/archive/1/76183
[2] http://www.securityfocus.com/archive/1/76388

Current thread:

MSN contact list disclosure Tom Micklovitch (Feb 08)
- RE: MSN contact list disclosure Geoff Sweet (Feb 10)
- Re: MSN contact list disclosure Tom McAdam (Feb 11)