Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] MySpace e-mail importer rasies security concerns

from [MadHat Unspecific] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] MySpace e-mail importer rasies security concerns
Date: Sun, 29 Jul 2007 12:50:11 -0500 
Kristian Hermansen wrote:

On 7/29/07, "HACK THE GOV" <hackthegov@googlemail.com> wrote:

"we've recently noticed the functionality of myspace in respect of the
e-mail importer raises privacy and security concerns.


Yea, it would be a dumb idea to use that feature.  Although, if you
really really really want to use it, it would be wise to temporarily
change your password, use the feature, and then set it back to
minimize the abuse potential.  Still a bad idea.

LinkedIn also has this functionality...
https://www.linkedin.com/secure/uploadContacts?displayWebMail=&trk=inv_webmail



Facebook, Spock and several other sites are implementing this type of
'feature'.  It is interesting to see how people are willing to give
someone their password.  I sent a message to the local DC214 group about
this not too long ago[1].  One member responded with a story of
financial website that used a similar method to verify your bank account
(optional) by giving the login credentials of your bank account on the
bank's website.


[1] the original email I sent, nothing too interesting:

I recently started looking at Facebook and Spock as online services.  I
was curious what they offered and how they were different from other
services.

One of the things I found interesting about both is that both offered,
or forced (if you want to use their service), to log into other online
services for you and scrape the data from that other services.  Both
offer some way of importing address book from mail applications or
address books.  On each you were asked to give the login and pass for
services such as yahoo, gmail, myspace, hotmail, etc... and then the
service would log in and get a copy of your address book or other
details you had entered and replicate the data or offer to "spam" your
contacts with invites to the new service.  You have no way to know if
these credentials are being stored or if they are using ssl or what the
network landscape is like between the 2 services.  Personally I expect
those accounts to be compromised and use throwaway passwords on them, so
I can play with each of these services. It's not like I saw anything
revolutionary in any of them, but I found the idea of trusting them to
have the credentials to so many other online services interesting and
why people would be willing to give them up (other than stupidity and
'sheeple-ness').


-- 
MadHat (at) Unspecific.com, C²ISSP
E786 7B30 7534 DCC2 94D5  91DE E922 0B21 9DDC 3E98
gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] MySpace e-mail importer rasies security concerns, Kristian Hermansen
Next by Date:  [Full-disclosure] Sunday Morning Spam: Intel Video Ad on Security, directed by Christopher Guest, pdp (architect)
Previous by Thread:  Re: [Full-disclosure] MySpace e-mail importer rasies security concerns, Kristian Hermansen
Next by Thread:  [Full-disclosure] Sunday Morning Spam: Intel Video Ad on Security, directed by Christopher Guest, pdp (architect)
Indexes:  [Date] [Thread] [Top] [All Lists]