Bugtraq mailing list archives
Re: myvoicestream.com vulnerability
From: Scott Dier <dieman () ringworld org>
Date: Wed, 9 Jan 2002 21:06:34 -0600
* Trey Valenta <trey () anvils org> [020109 18:35]:
myvoicestream.com allows VoiceStream Wireless customers to manage their phones and billing accounts over SSL. Access controls to sessions are
You missed the worst of it: If you go to the 'update profile' page and view source, you can see the currently set password. (Web authors: please stop doing this, please leave those blank, please require reauthentication when resetting passwords. I've found another site today apart from that that I just notified the vendor of...) Thus: you can hijack a session and gain a potentially re-used common password and compromise a persons other accounts with that gained information. -- Scott Dier <dieman () ringworld org> http://www.ringworld.org/ the desire for space travel is a metaphor for escape
Attachment:
_bin
Description:
Current thread:
- myvoicestream.com vulnerability Trey Valenta (Jan 09)
- Re: myvoicestream.com vulnerability Scott Dier (Jan 09)