This is old news now, but I haven't seen it discussed yet so I thought I'd share it with anybody who hadn't had a chance to see it. Basically you could reset the password on any hotmail account you wanted to, by simply changing a few strings in a url.
http://securityfocus.com/archive/75/...5/2003-05-11/0
--commentary--
I mean come on, people store all sorts of data in their passport accounts, yet by simply changing a few strings in a URL their data completeley vulnerable. Credit cards, Photos, Addresses, You name it. This is not acceptable from the largest software company in the world.
BTW:
This doesn't work anymore. Microsoft disabled resetting hotmail passwords completeley either last night or this morning......... until they figure out who to fire for such blatantly sloppy security & fix it.
Hushmail accounts are starting to look really nice about now.
http://securityfocus.com/archive/75/...5/2003-05-11/0
--commentary--
I mean come on, people store all sorts of data in their passport accounts, yet by simply changing a few strings in a URL their data completeley vulnerable. Credit cards, Photos, Addresses, You name it. This is not acceptable from the largest software company in the world.
BTW:
This doesn't work anymore. Microsoft disabled resetting hotmail passwords completeley either last night or this morning......... until they figure out who to fire for such blatantly sloppy security & fix it.
Hushmail accounts are starting to look really nice about now.
Comment