Bugtraq mailing list archives

Re: myvoicestream.com vulnerability

From: Scott Dier <dieman () ringworld org>
Date: Wed, 9 Jan 2002 21:06:34 -0600

* Trey Valenta <trey () anvils org> [020109 18:35]:

myvoicestream.com allows VoiceStream Wireless customers to manage their
phones and billing accounts over SSL. Access controls to sessions are


You missed the worst of it:

If you go to the 'update profile' page and view source, you can see the
currently set password.  (Web authors: please stop doing this, please
leave those blank, please require reauthentication when resetting
passwords.  I've found another site today apart from that that I just
notified the vendor of...)

Thus: you can hijack a session and gain a potentially re-used common
password and compromise a persons other accounts with that gained
information.

-- 
Scott Dier <dieman () ringworld org> http://www.ringworld.org/

the desire for space travel is a metaphor for escape

Attachment: _bin
Description:

Current thread:

myvoicestream.com vulnerability Trey Valenta (Jan 09)
- Re: myvoicestream.com vulnerability Scott Dier (Jan 09)