Nigerian phish from Microsoft
Posted by Dave Yadallee on
Return-path:
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Mon, 27 Jun 2022 06:43:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from)
id 1o5o4V-000ACY-A8
for dave@doctor.nl2k.ab.ca;
Mon, 27 Jun 2022 06:42:31 -0600
Resent-From: The Doctor
Resent-Date: Mon, 27 Jun 2022 06:42:31 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from a8-81.smtp-out.amazonses.com ([54.240.8.81]:43871)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(Exim 4.95 (FreeBSD))
(envelope-from <01000181a504dd6e-4a036fd3-bc49-40d2-acdc-7504122d6bf8-000000@amazonses.com>)
id 1o5nM2-000CIz-IQ
for doctor@nk.ca;
Mon, 27 Jun 2022 05:56:40 -0600
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1656330968;
h=Subject:From:To:Reply-To:List-Unsubscribe:List-Unsubscribe-Post:List-Id:Feedback-ID:Message-ID:MIME-Version:Date:Content-Type;
bh=cW9jUGU03edE/Lbm1JGNS6wfZ6mli1DEfH+3p30jMoE=;
b=ctDUVMlxZq93P+vT8YMsznjRAuUFzo9mp9VF142ACXwAwCzPFRoVrlyNESKa7bjr
eFJwb4cT0/KI9nf90BvCEaM/QFt0oQMq2lyQxszn9sTWsIjchQdspxvy1UB3+mlC+xr
UwOZ+EKL9D1wde3O0wHroVtwEXf9YvtS6uyF/taY=
Subject: Session not expiring after password change via forgot link
From: Claire Samuel
To: "doctor@nk.ca"
Reply-To: Claire Samuel
List-Unsubscribe:,
Subscriber-Uid:ey9677xbfhf21 - Unsubscribe request&body=Please unsubscribe
me!>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Id: af726vv397a14
X-Report-Abuse: https://email.offensiveguards.io/latest/campaigns/mx001lfzwh6e2/report-abuse/af726vv397a14/ey9677xbfhf21
X-EBS: https://email.offensiveguards.io/latest/lists/block-address
Feedback-ID: 1.us-east-1.jUPIvFwI5WueMv7UjkxdV4UxLo/q5d3gibQe3k7gqaU=:AmazonSES
Message-ID: <01000181a504dd6e-4a036fd3-bc49-40d2-acdc-7504122d6bf8-000000@email.amazonses.com>
MIME-Version: 1.0
Date: Mon, 27 Jun 2022 11:56:08 +0000
Content-Type: multipart/alternative; boundary=PbL8ZI_d
X-SES-Outgoing: 2022.06.27-54.240.8.81
--PbL8ZI_d
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello doctor,
Hope you are fine. As an=C2=A0independent security research=
er I have found
some bugs/vulnerabilities in your website.
Vulnerabilit=
y: Failure to invalidate session on forget password
I have observed that =
when we=C2=A0request=C2=A0a forgot password link it
updates the session i=
nstead of=C2=A0expiration. If an account=C2=A0is
logged=C2=A0in some acco=
unt and the password reset link=C2=A0is used=C2=A0the
other account will =
get updated but not expired.
Steps to reproduce:
1. Request a forgot pa=
ssword link.
2. Now login in another browser and then use the password re=
set link
in another browser.
3. You will notice that the password=C2=
=A0will be changed=C2=A0successfully
and the other browser will still be =
active with the account you opened
in it.
Impact:
If some account=
=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will not
be=C2=A0log=
ged out from that browser and=C2=A0will be logged=C2=A0in and=C2=A0can
be=
=C2=A0used for malicious activities.
Recommendations:
It should expire =
immediately when the password=C2=A0is changed.
Regards.
--PbL8ZI_d
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
=09Session not expiring after password change via forgot link
>
Hello doctor,
Hope you are fine. As an=C2=A0independent security researcher I have found =
some bugs/vulnerabilities in your website.
Vulnerability: Failure to invalidate session on forget password
I have observed that when we=C2=A0request=C2=A0a forgot password link it up=
dates the session instead of=C2=A0expiration. If an account=C2=A0is logged=
=C2=A0in some account and the password reset link=C2=A0is used=C2=A0the oth=
er account will get updated but not expired.
Steps to reproduce:
1. Request a forgot password link.
2. Now login in another browser and then use the password reset link in ano=
ther browser.
3. You will notice that the password=C2=A0will be changed=C2=A0successfully=
and the other browser will still be active with the account you opened in =
it.
Impact:
If some account=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will no=
t be=C2=A0logged out from that browser and=C2=A0will be logged=C2=A0in and=
=C2=A0can be=C2=A0used for malicious activities.
Recommendations:
It should expire immediately when the password=C2=A0is changed.
Regards.
1070 S Elmhu=
rst Rd
Mt Prospect Delaware 60056
United States
, =
https://email.offensiveguards.io/latest/lists/af726vv397a14/unsubscribe/ey9=
677xbfhf21/mx001lfzwh6e2" />
--PbL8ZI_d--
Envelope-to: dave@doctor.nl2k.ab.ca
Delivery-date: Mon, 27 Jun 2022 06:43:00 -0600
Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.95 (FreeBSD))
(envelope-from
id 1o5o4V-000ACY-A8
for dave@doctor.nl2k.ab.ca;
Mon, 27 Jun 2022 06:42:31 -0600
Resent-From: The Doctor
Resent-Date: Mon, 27 Jun 2022 06:42:31 -0600
Resent-Message-ID:
Resent-To: Dave Yadallee
Received: from a8-81.smtp-out.amazonses.com ([54.240.8.81]:43871)
by doctor.nl2k.ab.ca with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
(Exim 4.95 (FreeBSD))
(envelope-from <01000181a504dd6e-4a036fd3-bc49-40d2-acdc-7504122d6bf8-000000@amazonses.com>)
id 1o5nM2-000CIz-IQ
for doctor@nk.ca;
Mon, 27 Jun 2022 05:56:40 -0600
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1656330968;
h=Subject:From:To:Reply-To:List-Unsubscribe:List-Unsubscribe-Post:List-Id:Feedback-ID:Message-ID:MIME-Version:Date:Content-Type;
bh=cW9jUGU03edE/Lbm1JGNS6wfZ6mli1DEfH+3p30jMoE=;
b=ctDUVMlxZq93P+vT8YMsznjRAuUFzo9mp9VF142ACXwAwCzPFRoVrlyNESKa7bjr
eFJwb4cT0/KI9nf90BvCEaM/QFt0oQMq2lyQxszn9sTWsIjchQdspxvy1UB3+mlC+xr
UwOZ+EKL9D1wde3O0wHroVtwEXf9YvtS6uyF/taY=
Subject: Session not expiring after password change via forgot link
From: Claire Samuel
To: "doctor@nk.ca"
Reply-To: Claire Samuel
List-Unsubscribe:
Subscriber-Uid:ey9677xbfhf21 - Unsubscribe request&body=Please unsubscribe
me!>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Id: af726vv397a14
X-Report-Abuse: https://email.offensiveguards.io/latest/campaigns/mx001lfzwh6e2/report-abuse/af726vv397a14/ey9677xbfhf21
X-EBS: https://email.offensiveguards.io/latest/lists/block-address
Feedback-ID: 1.us-east-1.jUPIvFwI5WueMv7UjkxdV4UxLo/q5d3gibQe3k7gqaU=:AmazonSES
Message-ID: <01000181a504dd6e-4a036fd3-bc49-40d2-acdc-7504122d6bf8-000000@email.amazonses.com>
MIME-Version: 1.0
Date: Mon, 27 Jun 2022 11:56:08 +0000
Content-Type: multipart/alternative; boundary=PbL8ZI_d
X-SES-Outgoing: 2022.06.27-54.240.8.81
--PbL8ZI_d
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello doctor,
Hope you are fine. As an=C2=A0independent security research=
er I have found
some bugs/vulnerabilities in your website.
Vulnerabilit=
y: Failure to invalidate session on forget password
I have observed that =
when we=C2=A0request=C2=A0a forgot password link it
updates the session i=
nstead of=C2=A0expiration. If an account=C2=A0is
logged=C2=A0in some acco=
unt and the password reset link=C2=A0is used=C2=A0the
other account will =
get updated but not expired.
Steps to reproduce:
1. Request a forgot pa=
ssword link.
2. Now login in another browser and then use the password re=
set link
in another browser.
3. You will notice that the password=C2=
=A0will be changed=C2=A0successfully
and the other browser will still be =
active with the account you opened
in it.
Impact:
If some account=
=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will not
be=C2=A0log=
ged out from that browser and=C2=A0will be logged=C2=A0in and=C2=A0can
be=
=C2=A0used for malicious activities.
Recommendations:
It should expire =
immediately when the password=C2=A0is changed.
Regards.
--PbL8ZI_d
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
=09
>
Hello doctor,
Hope you are fine. As an=C2=A0independent security researcher I have found =
some bugs/vulnerabilities in your website.
Vulnerability: Failure to invalidate session on forget password
I have observed that when we=C2=A0request=C2=A0a forgot password link it up=
dates the session instead of=C2=A0expiration. If an account=C2=A0is logged=
=C2=A0in some account and the password reset link=C2=A0is used=C2=A0the oth=
er account will get updated but not expired.
Steps to reproduce:
1. Request a forgot password link.
2. Now login in another browser and then use the password reset link in ano=
ther browser.
3. You will notice that the password=C2=A0will be changed=C2=A0successfully=
and the other browser will still be active with the account you opened in =
it.
Impact:
If some account=C2=A0is logged=C2=A0in in=C2=A0some browser it=C2=A0will no=
t be=C2=A0logged out from that browser and=C2=A0will be logged=C2=A0in and=
=C2=A0can be=C2=A0used for malicious activities.
Recommendations:
It should expire immediately when the password=C2=A0is changed.
Regards.
1070 S Elmhu=
rst Rd
Mt Prospect Delaware 60056
United States
, =
https://email.offensiveguards.io/latest/lists/af726vv397a14/unsubscribe/ey9=
677xbfhf21/mx001lfzwh6e2" />
--PbL8ZI_d--
Trackbacks
Trackback specific URI for this entryThis link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.
No Trackbacks
Comments
Display comments as Linear | ThreadedNo comments