Re: PLAXO: is that a cure or a disease?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: PLAXO: is that a cure or a disease?
From: Stacy Martin <trust@xxxxxxxxx>
Date: 18 Mar 2004 07:45:50 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <200403121752.i2CHqK8A028679@xxxxxxxxxxxxxxxxxxxxxxxxx>

Thanks for the report.  This problem was fixed within hours of the original 
post on 3/12/04.  

While not diminishing the seriousness of the report, the impact of this 
vulnerability required the malicious user to already be in the Plaxo user's 
address book and to have received a Plaxo Update Request from the victim.  A 
security review of all Plaxo accounts showed no one besides the reporting user 
had found this problem and therefore no other Plaxo member's data was impacted. 
 

But nevertheless, since 3/12, we've made a number of additional changes and 
enhancements to our service in order to minimize the occurance of these types 
of problems again.

We appreciate the assistance in finding this and we encourage people to 
continue to bang on Plaxo.  We only ask that if there is a next time, you give 
us time to develop a fix before telling truly malicious users.

Prev by Date: [SECURITY] [DSA 466-1] New Linux 2.2.10 packages fix local root exploit (powerpc/apus)
Next by Date: RE: [RHSA-2004:112-01] Updated Mozilla packages fix security issu es
Previous by thread: PLAXO: is that a cure or a disease?
Next by thread: MS Security Response is a bunch of half-witted morons
Index(es):
- Date
- Thread