* Trey Valenta <trey@anvils.org> [020109 18:35]: > myvoicestream.com allows VoiceStream Wireless customers to manage their > phones and billing accounts over SSL. Access controls to sessions are You missed the worst of it: If you go to the 'update profile' page and view source, you can see the currently set password. (Web authors: please stop doing this, please leave those blank, please require reauthentication when resetting passwords. I've found another site today apart from that that I just notified the vendor of...) Thus: you can hijack a session and gain a potentially re-used common password and compromise a persons other accounts with that gained information. -- Scott Dier <dieman@ringworld.org> http://www.ringworld.org/ the desire for space travel is a metaphor for escape
Attachment:
pgp00068.pgp
Description: PGP signature
