I spoke to a responsive person at address.com, and they were very concerned. Address.com is giving this issue the attention it deserves (verifying, etc...) Responsible full disclosure requires that a reasonable attempt is made to inform the company of an issue and give them time to respond before disclosing the vulnerability publically. I had no problem finding a responsive person to inform of this issue. It's likely that the researcher ran into a support policy and an uncooperative or unaware support person. In my opinion, the researcher's responsibility requires a stronger attempt to notify a vendor. The company was not given a chance to respond, and the user base may have been exposed to a greater threat through early disclosure. In an environment where full disclosure is being labeled as part of 'information anarchy' by an unethical vendor's propaganda, mishaps like these endanger more than individual company and userbase. Just my opinion. -----Original Message----- From: wannabe anonymousplease [mailto:i_wanna_be_anonymous@yahoo.com] Sent: Tuesday, January 08, 2002 8:53 PM To: bugtraq@securityfocus.com Subject: address.com: email vulnerability www.address.com has a vulnerability that allows reading the email of other users. address.com offers, among other things, free email (similar to hotmail.com). However, the registration allows you to overwrite existing accounts. If it does, the password is overwritten, and the new user takes control of the account (the former user will no longer know the password). However, the emails of the former user remain. In attempting to ask address.com to look into this issue, I was told they couldn't help because I wasn't a premium member. __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
