[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Skype account + IM history hijack vulnerability
- To: "nick@xxxxxxxxxxxxxxxxxxx" <nick@xxxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Skype account + IM history hijack vulnerability
- From: Benji <me@xxxxxxxxx>
- Date: Thu, 15 Nov 2012 08:47:00 +0000
Hi genius of the year
Sometimes when people argue over the definition of '0day', it is important to
be clear. Although the bash script made it clear, I have never ever seen
someone call 'user enumeration' an 'oracle attack'. Probably because this is
2012 and the Matrix hasn't just come out.
Sorry for not knowing non-industry terms used by 1% of the populous you hipster.
Sent from my iPhone
On 15 Nov 2012, at 03:45, "Nick FitzGerald" <nick@xxxxxxxxxxxxxxxxxxx> wrote:
> Benji wrote:
>
>> Oracle attacks?
>>
>> See into the future?
>> Padding oracle attacks?
>> Oracle SQL injections?
>
> You noobs...
>
> http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917
>
> (Don't get too tied up in the crypto stuff in that article.)
>
> klondike's point is that simply monitoring the response of the "user X
> wants to change their password" web-form tells you whether there is, in
> fact, a user named "X" on the system. That's kinda obvious from the
> bash script klondike provided, and I don't do bash...
>
>
>
> Regards,
>
> Nick FitzGerald
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/