M.O.M.B.Y! (momby) wrote,

  • Mood:

MOMBY-00001101: Cleartext Password Recovery via E-Mail

Advisory MOMBY-00001101: Cleartext Password Recovery via E-Mail
Press Embargo until April 17, 2007

Noobs: *****
 LOLs: **
 0wnz: ** 1/2

In MOMBY-111 we discussed the cleartext authentication via the web interface. So, perhaps it's unsurprising to find cleartext passwords being revealed in the e-mail generated when clicking the "Forgot your password?" link on http://www.myspace.com.

Screenshot: http://pics.livejournal.com/momby/pic/0000e7d1

Due to this implementation bug, parties in a position to intercept e-mail are also in a position to recover Myspace passwords.

One may argue that people who operate e-mail in a cleartext manner have more to worry about. But recall that anyone may trigger this cleartext password reveal; thus, an attacker who may watch cleartext e-mail exchanges (again, most commonly an eavesdropper who is listening on a public wireless segment) may induce a password revelation at will. He need not wait for his victim to login to Myspace, but may instead wait for the victim to download e-mail over a cleartext channel (such as Yahoo! webmail), which in this setting, may be considerably more often.

Also note, Fox Interactive does not inform Myspace users when their passwords have been revealed in this way. Thus, an attacker who has complete control over a mail account (such as an untrustworthy mail administrator or a government investigator), may induce the password reveal, intercept the message, then delete the message, without the victim's knowledge.

Credit: Dammit, now you know my awesum password!!!

Tags: cleartext password, e-mail
  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.