me-here1405241520 0 Report post Posted April 22, 2006 (edited) is it working now...? An attacker can reset any Microsoft Hotmail/.Net Passport user accountwith no prior information like state, zip, country, answer to the secretquestion and the old password. Normally, a user has to answer thesecurity questions and than answer the secret question if he wants toreset his password. By exploiting this vulnerability, an attacker cansubmit a specially crafted URL to get the password reset instructionsand reset any user?s password.TECHNICAL DETAILSDue to the nature of this vulnerability and the fact that there is nofix available yet, no technical details are being made available withthis advisory. Full technical details will be made available on ourwebsite once the vulnerability is fixed by Microsoft. Please note thatwe were forced to release this information public as thesevulnerabilities are actively being exploited in the wild and are one ofthe most severe vulnerabilities ever found in Microsoft Hotmail/.NetPassport.The flaw is exploited by opening the following URL in a web browser:http://forums.xisto.com/no_longer_exists/&em=victim@hotmail.com&id=&cb=&prefem=where-to@send-the-email.com&rst=after that, URL which resets the password will be delivered, in this case, to where-to@send-the-email.com. Edited April 22, 2006 by me-here (see edit history) Share this post Link to post Share on other sites
miCRoSCoPiC^eaRthLinG 0 Report post Posted April 22, 2006 For Gods sake, try and provide SOME ORIGINAL INPUT ON YOUR OWN PART. I'm getting tired of warning you and deleting such posts. Don't you have any goddamned opinion on anything on your own? Or do you simply specialize is posting quoted material from other sites? Share this post Link to post Share on other sites
iGuest 3 Report post Posted April 22, 2006 O.o, never seen M^E this mad before. Musta really got under his skin... Share this post Link to post Share on other sites
Logan Deathbringer 0 Report post Posted April 24, 2006 yes the ability to reset a password on the hotmail/msn network is possible, much like the quoted material you posted states. They are currently are working on, or have fixed, that problem already. As for how to do it, thats above my knowledge level, or to be more precise, not what I like to do for fun on my evenings off.As for the post...I have to agree with M^E, of the couple of posts of yours that I have run across they are, umm...Juvenile at best, or in my opinion just this side of spam. Please feel free to contribute to the community, I would love to see you become a strong member here, but please don't post like this anymore, otherwise M^E, Moonwitch, or another of the mods might decide that banning might be the best option. Share this post Link to post Share on other sites