I can confirm this. Recently I registered a hotmail account, and when I logged onto MSN Messenger the first time it was loaded with contacts! A couple of which began conversing with me at logon. At the time (about 8 weeks ago), I contacted Microsoft to let them know that this had happened. At this point I have not heard back from them either. Geoff Sweet World Vision - Federal Way -----Original Message----- From: Tom Micklovitch [mailto:h_bugtraq@yahoo.com] Sent: Friday, 08 February, 2002 02:05 To: bugtraq@securityfocus.com Subject: MSN contact list disclosure Exploit: Register an account for MSN messenger, make some contact email addresses, leave the account for 31 days. On a different machine (to ensure there's no cache), go to the sign up section of MSN messenger, sign up again, using the same screen name. You'll be able to see the previous user's contact list. None of the contacts will have been alerted to the fact that the new username actully belong to an entirely different person, so they'll still be sending messages, and if the new user is a haxor, (s)he'll be replying just as if (s)he's the original user. I alerted Microsoft on monday, and have recieved no reply. so there. :) happy hacking. ===== -----BEGIN GEEK CODE BLOCK----- Version: 3.12 - www.ebb.org/ungeek/ GIT d--- s--:- a--- C++++ UL++ P+ L+ E--- W+++ N- o-- K- w O- M-- V- PS+++ PE-- Y+ PGP++ t+ 5- X+ R tv-- b+ DI++ D+ G+ e* h r++ y+++ ------END GEEK CODE BLOCK------ __________________________________________________ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com
