A serious vulnerability found in PwnedList could have been exploited to gain access to millions of account credentials collected by the service.
PwnedList was launched in 2011 as a service designed to allow users to check if their accounts have been compromised. InfoArmor acquired PwnedList in 2013 and a few months later it started using it to power a new solution called Vendor Security Monitoring, which alerts organizations when one of their third-party vendors suffers a security breach.
Security researcher Bob Hodges had been trying to add the .edu and .com domains he manages to his PwnedList watchlist when he discovered a serious flaw that allowed him to monitor any domain.
Users have to go through an approval process when they want to add a domain or email address to their watchlist. However, a parameter tampering vulnerability allowed Hodges to add any domain that he wanted.
The problem was that in the two-step process of adding a new element to the watchlist, the second step did not take into account the information submitted in the first step, allowing an attacker to submit arbitrary data by tampering with the request.
Read More:Millions of Credentials Exposed by PwnedList Flaw | SecurityWeek.Com
PwnedList was launched in 2011 as a service designed to allow users to check if their accounts have been compromised. InfoArmor acquired PwnedList in 2013 and a few months later it started using it to power a new solution called Vendor Security Monitoring, which alerts organizations when one of their third-party vendors suffers a security breach.
Security researcher Bob Hodges had been trying to add the .edu and .com domains he manages to his PwnedList watchlist when he discovered a serious flaw that allowed him to monitor any domain.
Users have to go through an approval process when they want to add a domain or email address to their watchlist. However, a parameter tampering vulnerability allowed Hodges to add any domain that he wanted.
The problem was that in the two-step process of adding a new element to the watchlist, the second step did not take into account the information submitted in the first step, allowing an attacker to submit arbitrary data by tampering with the request.
Read More:Millions of Credentials Exposed by PwnedList Flaw | SecurityWeek.Com
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
