MSN Contact List Disclosure flaw

Thanks Jon for sending this one in. Taken from a post bugtraq by Tom Micklovitch (dated Feb 8th):

Exploit:

Register an account for MSN messenger, make some contact email addresses, leave the account for 31 days. On a different machine (to ensure there"s no cache), go to the sign up section of MSN messenger, sign up again, using the same screen name. You"ll be able to see the previous user"s contact list.

None of the contacts will have been alerted to the fact that the new username actully belong to an entirely different person, so they"ll still be sending messages, and if the new user is a haxor, (s)he"ll be replying just as if (s)he"s the original user.

I alerted Microsoft on monday, and have received no reply. so there. :)

News source: MSN Contact List Disclosure - Security Focus

Report a problem with article
Next Article

Kyro On The Block; ST Pulls Out Of Graphics

Previous Article

Case buys 1M AOL shares