Eloqua, subscription manager for VMWare, leaks customer info

[security curmudgeon <jericho () attrition org>]

http://andrewmohawk.com/2011/04/13/vmware-user-information-leak/

VMWare User Information Leak
This entry was posted on Apr 13 2011

Click here to search the VMWare user database!

So last week some time Chris Hadnagy linked me to the following URL: 
http://info.vmware.com/content/opt-out which was pretty interesting last 
week. Basically it allowed someone to full in their email address to 
manage their VMWare subscriptions, i noticed a couple of things from the 
next pages:

     * The fields auto populated with details like Name, Phone Number etc 
(i know, without auth and only an email address . worriedface)
     * Another tab became available that allowed you to update your details 
. again, no auth, scary

So i whipped out the good old firebug and started looking through the ajax 
calls till i came across this little gem:

[..]


http://www.andrewmohawk.com/VMWareScraper/

VMWare/Eloqua leaks your info!

Basically Eloqua (the subscription guys for VMWare) are leaking customer 
info via svrGP.aspx, discovered by Chris Hadnagy and Andrew MacPherson

Thanks,
Andrew MacPherson
(andrew () andrewmohawk com)

Email Address
[                  ]
/Search for Info!/


_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/