Bigpond Webmail Password Reset.
A security researcher has found a way to easily reset BigPond webmail account passwords without knowing the original password. A vulnerability in the WebMail interface allowed him to access and change another user’s account with ease.
The software flaw is said to be related to the changing of passwords when users attempt to log in using an incorrect password for the account.
Must Read: Bigpond Webmail
The researcher who goes by the name, “phuzz” said he found a SQL injection vulnerability in BigPond’s Webmail interface which allowed him to access other user’s accounts and subsequently change their passwords.
Upon testing this vulnerability on his own Bigpond account phuzz found that he was able to access another user’s account in a matter of minutes.
Once in, phuzz was able to reset the password and log in without issue. He then issued a warning stating that any user could do this with ease and access anyone’s Bigpond email account.
BigPond has since patched the vulnerability but they have questioned phuzz’s claim saying they can not find the issue and that he is overstating the impact.
They do say however that they will continue to investigate in an attempt to secure their systems.