[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] meetOne: Vulnerabilities and iPhone Data Theft
From: John Johnson-Doe <johnsondoejohn () gmail ! com>
Date: 2012-07-27 8:09:31
Message-ID: CAM9ijKaXcZOgEz6Sv6b3wm9bMBH2ob6ZVQXcJzazP1rWx9wRqw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
SUMMARY
meetOne, currently in Germany in the Top 50 social apps of the iTunes
Store, has multiple vulnerabilities and has been found guilty of stealing
Apple iPhone address books and abusing the e-mail addresses there for spam.
Apple Inc. is ignoring the data theft and it seems even supressing
information about it. meetOne also has lost its complete user database to
the public, including CLEARTEXT passwords, and refuses to properly inform
its members.
meetOne is a subsidiary of ProSiebenSat.1, one of Germanys largest media
corporations and running some of its largest TV stations, where meetOne is
actively promoted. We've ran into serious problems getting information
about the following data thefts and breaches published, probably because
most German media outlets do not want to tackle a direct competitor like
ProSieben.
ANALYSIS FOLLOWS
If you run the network traffic of the "meetOneToGo" iPhone application
immediately after starting it and logging in through ngrep, you will notice
multiple curious things:
* Passwords are sent in clear text over HTTP (possibly identifying
information has been cleared and replaced by ___ in the examples)
GET
/api/phoneapi.php?service=base&action=apiAuthorization&version=2.2&format=json&username=___&password=___
HTTP/1.1
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Content-Type: application/json
Date: ___
Expires: Thu, 19 Nov 1981 __:__:__ GMT
P3P: CP="HONK"
Pragma: no-cache
Server: nginx/1.0.12
Set-Cookie: sid=________________________________; path=/; domain=.
meetone.com
X-Powered-By: PHP/5.3.10-1~dotdeb.1
Content-Length: ___
Connection: keep-alive
{"authorization":{"result":true,"sessionId":"________________________________"},"coinsCount":"10 \
","memberId":"_______","unreadEmails":null,"unreadTelegrams":null,"unreadNotifications":"0","mySex":"MALE","lang":"en","username":"___","password":"___"}
A couple of API calls later, it will upload your iPhone adress book without
asking the user first. Please note, that the API name does not even
disguise, that the feature is used for "inviting" (=spamming) those users
(session id and irrelvant information removed from the example, to shorten
it). In our experience, spam mails are sent 1-2 weeks later after the
information has been stolen. Users are sent an e-mail where they're told
they received a message on the site (even though they are not even
registered yet at that moment) and have to register, to read the message
(which is then a pretty lame "Welcome to meetOne").
POST /api/phoneapi.php HTTP/1.1
Host: iphone.meetone.com
User-Agent: meetOne/2.2 CFNetwork/548.1.4 Darwin/11.0.0
Content-Type: multipart/form-data; boundary=0xKhTmLbOuNdArY
--0xKhTmLbOuNdArY
Content-Disposition: form-data; name="format"
json
--0xKhTmLbOuNdArY
Content-Disposition: form-data; name="service"
base
--0xKhTmLbOuNdArY
Content-Disposition: form-data; name="action"
queueInvitations
--0xKhTmLbOuNdArY
Content-Disposition: form-data; name="name[]"
Name of first person in address book
--0xKhTmLbOuNdArY
Content-Disposition: form-data; name="name[]".
Name of second person in address book and so on.
--0xKhTmLbOuNdArY
Content-Disposition: form-data; name="email[]"
e-mail address of first person in address book
--0xKhTmLbOuNdArY
Content-Disposition: form-data; name="email[]"
e-mail address of second person in address book and so on
Apple Inc. has been informed about this breach of German data protection
laws and their own appstore rules on the 19th of July. Unfortunately, they
do not pull the app from app store and allow the stealing of address books
to continue.
On the 22th of July, we were informed by Apple that "leider konnten wir
anhand der sehr guten Rezessionen dieses Apps keine Auffälligkeiten
feststellen.", which means (including a pretty lame misspelling by Apple's
support), that Apple could not see further reports of this behaviour in the
user reviews of the app and therefore WILL NOT ACT. This is especially
ridiculous, as we know of at least one case, where a user review, which
warned users about the data theft, was deleted by Apple from the store. So,
it seems Apple is basing its decisions partly on the same user reviews
which it censors itself. After we threatened, that we will publish our
findings on the 23th of July, we were promised the case will be sent to the
review team in the USA for further examination. Since then, we have not
heard anything from Apple and further inquiries are simply ignored and stay
unanswered.
To add insult to the injury, the site even leaks all stolen e-mail
addresses to the public:
http://de.meetone.com/?aid=vrl-as&invID=1000&lpt=B
The page contains an input type="hidden" field with the e-mail adress of
the "invited" person. If you count the invID parameter up or down, you can
access about 8 million e-mail-adresses which were obtained by stealing
iPhone address books. We found our own address book entries there, which
the app earlier stole.
Now, on the most serious data breach. The app sends an API calll:
GET
/api/phoneapi.php?service=member&action=getMemberData&version=2.2&format=json&memberId=______&sid=______
Unfortunately, it was possible to call the same API WITHOUT session id, and
with ANY (numerical) memberID and it happily returned all the users'
information. As an experiment, we queried the data of member id "3" - a
JSON dataset is returned, containg the clear text password as well as all
kinds of information, like the sexual preferences of the user, in some
cases even phone numbers or postal addresses.
We've shortened the example considerably and removed identifying
information by replacing critical places with ____. The account seems to
belong to the owner of the site, by the way.
{"result":true,"personalData":{"memberID":"3","cryptID":"NtBsQtt","username":"meetOne-Team","pas \
sword":___,"pass_salt":_____,"pass_hash":_________,"autologin":_______,"dateOfBirth":"19__-07-01","calculatedAge":"40","firstName":"","lastName":"","email":"___@
weppo.com
","sex":"MALE","phoneNumber":"","mobileNumber":"","street":"","city":"Berlin","cityID":"14457"," \
zipCode":"","countryCode":"DE","country":"","regionID":"1363","region":"Berlin","ipAddress":"______,"status":"RUN","section":"ADMIN","website":"
www2.voten.de
","affiliateID":"155893","affiliateName":"voten","referer":"http:\/\/
www2.voten.de","origin":"","insertDate":"2004-04-16
12:00:00","changeDate":"2012-07-17 21:07:59","lastLoginDate":"2012-07-__
__:47:19","lastMailboxLoginDate":"2011-01-30
23:27:26","lastProfileChangeDate":"2012-07-11
15:30:36","lastProfileCheckDate":"2012-06-22
12:57:31","forwardEmail":"0","height":"0","weight":"0","job":"","nationality":"","description":"
+ habe Lust auf Flirt und komme aus Berlin. Schreib mir doch einfach eine
kurze Nachricht, wenn Du mehr \u00fcber mich wissen willst. Ich w\u00fcrde
mich
freuen!","defaultPicPath":"\/votingPics\/1002\/100_____-oIoypES%.jpg","defaultPicID":"100____","defaultPicCryptID":"oIoyp__","defaultPicExtension":"JPG","newEmail":"______@
meetone.com","newEmailCryptID":"ZQV____","onlineStatus":"1","onlineStatus2":"1","receiveNewslet \
ter":"1","signUpCookieUsername":"","countGuestbookMessages":"1","countVotingPics":"1","haveVotin \
gPics":"1","countPhotoAlbumPics":"28","havePhotoAlbumPics":"1","countWebcamVideos":"2","countMem \
berPostings":"27","ignoreProfileVisit":"1","ignoreBirthdayList":"0","countBlogArticles":"0","lastBlogDate":"0000-00-00
00:00:00","profileViews":"2387","profileViewLastIP":"__.30.79.43","photoAlbumViews":"864","phot \
oAlbumViewLastIP":"__.52.110.146","avatarPicCryptID":"","avatarPicUploadDate":"0000-00-00 \
00:00:00","useTelegrams":"1","useTelegramSound":"1","forumOrderType":"ASC","refID":"hkkUxfy","re \
fMemberID":"0","friendsUpdatesCountDays":"14","friendsUpdatesIncludeFavorites":"0","countAnswere \
dQuestions":"43","accountType":"VIP","accountTypeValidThru":"0000-00-00","recurringBilling":"0","forumVisitDate":"0000-00-00
00:00:00","forumLastReadDate":"0000-00-00
00:00:00","forbidForumPosting":"0","modMemberID":"0","countPicMarkers":"0","personalWish":"","pe \
rsonalWishGender":"0","personalWishMinAge":"18","personalWishMaxAge":"99","personalWishPublic":" \
1","personalWishFacebookPublish":"1","statusTagId":"21","salutationId":"1","showEvents":"1","vot \
ingPrefs":"a:4:{s:10:\"categoryID\";i:1;s:6:\"gender\";i:2;s:6:\"minAge\";s:2:\"22\";s:6:\"maxAg \
e\";s:2:\"28\";}","languageID":"3","websiteLang":"de","ranking":"151865","ranking_tmp":"151865","lastMakeMeTopDate":"2011-10-27
18:53:46","lastPowerRotatorDate":null,"lastUnlimitedMessagesDate":"2011-07-03
22:53:33","_votenMemberID":"3","languages":{"2":"NONE","8":"NONE","1":"NONE"},"maritalStatus":6, \
"zodiacSign":"8","living":"0","sexuality":1,"topPercentage":"7.47","deliveredVotes":"525","deliv \
eredAverageRating":"9.73","deliveredVotesMales":"140","deliveredAverageRatingMales":"9.74","deli \
veredVotesFemales":"385","deliveredAverageRatingFemales":"9.73","countCharacteristicsInfo":"2"," \
countPersonalityInfo":"2","countSearchPartnerInfo":"4","countQuestionnaireInfo":"0","figure":"4" \
,"eyeColor":"16","hairColor":"0","hairStyle":"0","religion":"0","ethnicity":"0","mobility":"0"," \
childrenNumber":"0","childrenWish":"0","schooling":"0","professionType":"0","professionBranch":" \
0","yearlyIncome":"0","workingHoursPerWeek":"0","pet":"0","politicalAttitude":"0","leisure":"0", \
"music":"0","sport":"0","sportActivity":"0","preferredFood":"2","cooking":"0","residence":"126", \
"feelGood":"0","sphere":"0","aimsInLife":"0","relationshipType":"0","fidelity":"0","smoking":"0" \
,"annoySmoking":"0","timeOfDayActivity":"0","orderliness":"0","attributes":"0","dressStyle":"0", \
"searchType":"0","searchGeneral":"0","searchGeneralMinAge":"0","searchGeneralMaxAge":"0","search \
GeneralSex":"0","searchRelationship":"0","searchRelationshipMinAge":"0","searchRelationshipMaxAg \
e":"0","searchRelationshipSex":"0","searchLeisure":"0","searchLeisureMinAge":"0","searchLeisureM \
axAge":"0","searchLeisureSex":"0","searchTravel":"0","searchTravelMinAge":"0","searchTravelMaxAg \
e":"0","searchTravelSex":"0","searchAffair":"0","searchAffairMinAge":"0","searchAffairMaxAge":"0 \
","searchAffairSex":"0","searchOneNightStand":"0","searchOneNightStandMinAge":"0","searchOneNigh \
tStandMaxAge":"0","searchOneNightStandSex":"0","partnerHaveChildren":"10","partnerDoNot":"0","pa \
rtnerDoNotText":"","partnerImportance":"0","partnerImportanceText":"","partnerRoll":"0","partner \
RollText":"","partnerConflict":"0","partnerConflictText":"","partnerUnderstanding":"0","partnerU \
nderstandingText":"","identityCheck":"1","identityPicCheck":"1","countFavorites":"225","countMat \
ches":"7","countCoins":"217","countFansUnique":"73","countFansUnique_2":"212","countFans":"73"," \
countProfileVisitors":"40119","countProfileVisitorsThisMonth":"293","ignorePaymentTransaction":"0","freeCoinsDate":"2010-04-26
20:47:31","votenActivePremiumAccount":"0","emailVerification":"1","designID":"0","newsletterCry \
ptID":"3-7ovymZu","notificationTypes":"2910","countLocationUpdateInfo":"3","abuseAccount":"0","_ \
coinsFree":"0","_coinsPay":"0","lifeTimeValueRegisterMonth":"2010-04","fb_uid":"100002339514730" \
,"fb_publishTypes":"62","fb_importVotes":"0","fb_name":"","fb_profile_url":"","superRewardsCoins \
":"0","superRewardsCoinsUsed":"0","freeMakeMeTop":"-1","internGroup":"0","peanutlabsCoins":"0"," \
betaLogin":"2","betaInvitationCode":"","countGifts":"162","betaRefCode":"","spotlightWeeklyCount \
er":"1","giftGameLevel":"0","giftGameLevelInfoLayer":"0","useSmileysPremium":"0","mostFans":"0", \
"mostGifts":"0","mostVideos":"0","mostQuestions":"0","mostAnswers":"0","forwardEmailPeriod":"ins \
tantly","newsletterFormat":"html","lastLoginChange":"2011-06-22","showFacebookButton":"1","extra \
Coins":"0","lk_uid":"0","freeSpotlight":"2","profileComplete":"90","openid":"","countryName":"Germany","_sexuality":1,"_maritalStatus":6,"pictureInfo":{"thumbPath_2":"http:\/\/
img.meetone.com
\/votingPics\/1002\/100____-oIoypES_thumb_2.jpg","profilePic":{"thumbPath":"http:\/\/
img.meetone.com\/votingPics\/1002\/100____-oIoypES%@
.jpg"}},"picturesCounter":29,"premiumCount":15,"videosCount":"0","personality":{"preferredFood": \
[1],"residence":[1,2,3,4,5,6],"sexuality":[1],"maritalStatus":[6]},"isIlikeHim":0,"isIHateHim":0 \
,"characteristics":{"figure":[2],"eyeColor":[4]},"searchPartner":{"partnerHaveChildren":"10","pa \
rtnerConflict":"0","partnerUnderstanding":"0","searchTravelSex":null,"searchOneNightStandSex":nu \
ll,"partnerDoNot":null,"partnerImportance":null,"partnerRoll":null},"statData":{"nickname":"meet \
One-Team","gender":"MALE","age":"40","country":"DE","rampenlicht":false,"mostgifts":false,"mostf \
ans":false,"topvotes":false,"koffein":"0","nofake":true,"smscheck":true,"vip":true}}}
After being informed by heise online
http://www.h-online.com/security/news/item/Password-leak-at-meetOne-1652783.htmlthe
site closed at least this data leakage and reset the passwords of all
its members. Unfortunately, they chose NOT TO INFORM their members of the
data leakage (it seems it has been open for months, nobody knows, who
retreived the data, as even the site owners admit), instead they disguised
the password reset as a "regular routine", so users of the site, which
happened to use the same password somewhere else, still consider their
passwords safe.
Due to the lackluster media interest and Apples non-reaction, we've seen no
other choice than full disclosure in this case.
[Attachment #5 (text/html)]
<div><div>SUMMARY </div><div><br></div><div>meetOne, currently in Germany in the Top 50 social \
apps of the iTunes Store, has multiple vulnerabilities and has been found guilty of stealing \
Apple iPhone address books and abusing the e-mail addresses there for spam. Apple Inc. is \
ignoring the data theft and it seems even supressing information about it. meetOne also has \
lost its complete user database to the public, including CLEARTEXT passwords, and refuses to \
properly inform its members.</div> <div><br></div><div>meetOne is a subsidiary of \
ProSiebenSat.1, one of Germanys largest media corporations and running some of its largest TV \
stations, where meetOne is actively promoted. We've ran into serious problems getting \
information about the following data thefts and breaches published, probably because most \
German media outlets do not want to tackle a direct competitor like ProSieben.</div> \
<div><br></div><div>ANALYSIS FOLLOWS</div><div><br></div><div>If you run the network traffic of \
the "meetOneToGo" iPhone application immediately after starting it and logging in \
through ngrep, you will notice multiple curious things:</div> <div><br></div><div>* Passwords \
are sent in clear text over HTTP (possibly identifying information has been cleared and \
replaced by ___ in the examples)</div><div><br></div><div> GET \
/api/phoneapi.php?service=base&action=apiAuthorization&version=2.2&format=json&username=___&password=___ \
HTTP/1.1</div> <div><br></div><div> HTTP/1.1 200 OK</div><div> Cache-Control: no-store, \
no-cache, must-revalidate, post-check=0, pre-check=0</div><div> Content-Type: \
application/json</div><div> Date: ___</div><div> Expires: Thu, 19 Nov 1981 __:__:__ \
GMT</div> <div> P3P: CP="HONK"</div><div> Pragma: no-cache</div><div> \
Server: nginx/1.0.12</div><div> Set-Cookie: sid=________________________________; path=/; \
domain=.<a href="http://meetone.com">meetone.com</a></div> <div> X-Powered-By: \
PHP/5.3.10-1~dotdeb.1</div><div> Content-Length: ___</div><div> Connection: \
keep-alive</div><div><br></div><div> \
{"authorization":{"result":true,"sessionId":"________________ \
________________"},"coinsCount":"10","memberId":"_______ \
","unreadEmails":null,"unreadTelegrams":null,"unreadNotifications& \
quot;:"0","mySex":"MALE","lang":"en","username":"___","password":"___"}</div>
<div><br></div><div><br></div><div><br></div><div>A couple of API calls later, it will upload \
your iPhone adress book without asking the user first. Please note, that the API name does not \
even disguise, that the feature is used for "inviting" (=spamming) those users \
(session id and irrelvant information removed from the example, to shorten it). In our \
experience, spam mails are sent 1-2 weeks later after the information has been stolen. Users \
are sent an e-mail where they're told they received a message on the site (even though they \
are not even registered yet at that moment) and have to register, to read the message (which is \
then a pretty lame "Welcome to meetOne").</div> <div><br></div><div> POST \
/api/phoneapi.php HTTP/1.1</div><div> Host: <a \
href="http://iphone.meetone.com">iphone.meetone.com</a></div><div> User-Agent: meetOne/2.2 \
CFNetwork/548.1.4 Darwin/11.0.0</div><div> Content-Type: multipart/form-data; \
boundary=0xKhTmLbOuNdArY</div> <div><br></div><div> --0xKhTmLbOuNdArY</div><div> \
Content-Disposition: form-data; name="format"</div><div><br></div><div> \
json</div><div> --0xKhTmLbOuNdArY</div><div> Content-Disposition: form-data; \
name="service"</div> <div><br></div><div> base</div><div> \
--0xKhTmLbOuNdArY</div><div> Content-Disposition: form-data; \
name="action"</div><div><br></div><div> queueInvitations</div><div><br></div><div> \
--0xKhTmLbOuNdArY</div> <div> Content-Disposition: form-data; \
name="name[]"</div><div><br></div><div> Name of first person in address \
book</div><div> --0xKhTmLbOuNdArY</div><div> Content-Disposition: form-data; \
name="name[]".</div> <div><br></div><div> Name of second person in address book \
and so on.</div><div> --0xKhTmLbOuNdArY</div><div> Content-Disposition: form-data; \
name="email[]"</div><div><br></div><div> e-mail address of first person in address \
book</div> <div> --0xKhTmLbOuNdArY</div><div> Content-Disposition: form-data; \
name="email[]"</div><div><br></div><div> e-mail address of second person in \
address book and so on</div><div><br></div><div>Apple Inc. has been informed about this breach \
of German data protection laws and their own appstore rules on the 19th of July. Unfortunately, \
they do not pull the app from app store and allow the stealing of address books to \
continue.</div> <div><br></div><div>On the 22th of July, we were informed by Apple that \
"leider konnten wir anhand der sehr guten Rezessionen dieses Apps keine Auffälligkeiten \
feststellen.", which means (including a pretty lame misspelling by Apple's support), \
that Apple could not see further reports of this behaviour in the user reviews of the app and \
therefore WILL NOT ACT. This is especially ridiculous, as we know of at least one case, where a \
user review, which warned users about the data theft, was deleted by Apple from the store. So, \
it seems Apple is basing its decisions partly on the same user reviews which it censors itself. \
After we threatened, that we will publish our findings on the 23th of July, we were promised \
the case will be sent to the review team in the USA for further examination. Since then, we \
have not heard anything from Apple and further inquiries are simply ignored and stay \
unanswered.</div> <div><br></div><div>To add insult to the injury, the site even leaks all \
stolen e-mail addresses to the public:</div><div><br></div><div> <a \
href="http://de.meetone.com/?aid=vrl-as&invID=1000&lpt=B">http://de.meetone.com/?aid=vrl-as&invID=1000&lpt=B</a></div>
<div><br></div><div>The page contains an input type="hidden" field with the e-mail \
adress of the "invited" person. If you count the invID parameter up or down, you can \
access about 8 million e-mail-adresses which were obtained by stealing iPhone address books. We \
found our own address book entries there, which the app earlier stole.</div> \
<div><br></div><div><br></div><div>Now, on the most serious data breach. The app sends an API \
calll:</div><div><br></div><div> GET \
/api/phoneapi.php?service=member&action=getMemberData&version=2.2&format=json&memberId=______&sid=______</div>
<div><br></div><div>Unfortunately, it was possible to call the same API WITHOUT session id, \
and with ANY (numerical) memberID and it happily returned all the users' information. As an \
experiment, we queried the data of member id "3" - a JSON dataset is returned, \
containg the clear text password as well as all kinds of information, like the sexual \
preferences of the user, in some cases even phone numbers or postal addresses.</div> \
<div><br></div><div>We've shortened the example considerably and removed identifying \
information by replacing critical places with ____. The account seems to belong to the owner \
of the site, by the way.</div><div><br> \
</div><div>{"result":true,"personalData":{"memberID":"3" \
,"cryptID":"NtBsQtt","username":"meetOne-Team","pas \
sword":___,"pass_salt":_____,"pass_hash":_________,"autologin" \
;:_______,"dateOfBirth":"19__-07-01","calculatedAge":"40" \
;,"firstName":"","lastName":"","email":"___@<a \
href="http://weppo.com">weppo.com</a>","sex":"MALE","phoneNumber&q \
uot;:"","mobileNumber":"","street":"","ci \
ty":"Berlin","cityID":"14457","zipCode":"" \
;,"countryCode":"DE","country":"","regionID":& \
quot;1363","region":"Berlin","ipAddress":"______,"s \
tatus":"RUN","section":"ADMIN","website":"<a \
href="http://www2.voten.de">www2.voten.de</a>","affiliateID":"155893","affiliateName":"voten","referer":"http:\/\/<a \
href="http://www2.voten.de">www2.voten.de</a>","origin":"","insertDate":"2004-04-16 \
12:00:00","changeDate":"2012-07-17 \
21:07:59","lastLoginDate":"2012-07-__ \
__:47:19","lastMailboxLoginDate":"2011-01-30 \
23:27:26","lastProfileChangeDate":"2012-07-11 \
15:30:36","lastProfileCheckDate":"2012-06-22 \
12:57:31","forwardEmail":"0","height":"0","wei \
ght":"0","job":"","nationality":"","description":" \
+ habe Lust auf Flirt und komme aus Berlin. Schreib mir doch einfach eine kurze Nachricht, wenn \
Du mehr \u00fcber mich wissen willst. Ich w\u00fcrde mich \
freuen!","defaultPicPath":"\/votingPics\/1002\/100_____-oIoypES%.jpg",& \
quot;defaultPicID":"100____","defaultPicCryptID":"oIoyp__",&q \
uot;defaultPicExtension":"JPG","newEmail":"______@<a \
href="http://meetone.com">meetone.com</a>","newEmailCryptID":"ZQV____", \
"onlineStatus":"1","onlineStatus2":"1","receiveNews \
letter":"1","signUpCookieUsername":"","countGuestbookMes \
sages":"1","countVotingPics":"1","haveVotingPics":& \
quot;1","countPhotoAlbumPics":"28","havePhotoAlbumPics":" \
;1","countWebcamVideos":"2","countMemberPostings":"27&qu \
ot;,"ignoreProfileVisit":"1","ignoreBirthdayList":"0",&q \
uot;countBlogArticles":"0","lastBlogDate":"0000-00-00 \
00:00:00","profileViews":"2387","profileViewLastIP":"__. \
30.79.43","photoAlbumViews":"864","photoAlbumViewLastIP":&quo \
t;__.52.110.146","avatarPicCryptID":"","avatarPicUploadDate":"0000-00-00 \
00:00:00","useTelegrams":"1","useTelegramSound":"1" \
,"forumOrderType":"ASC","refID":"hkkUxfy","refMembe \
rID":"0","friendsUpdatesCountDays":"14","friendsUpdatesI \
ncludeFavorites":"0","countAnsweredQuestions":"43","acco \
untType":"VIP","accountTypeValidThru":"0000-00-00","recurringBilling":"0","forumVisitDate":"0000-00-00 \
00:00:00","forumLastReadDate":"0000-00-00 \
00:00:00","forbidForumPosting":"0","modMemberID":"0" \
;,"countPicMarkers":"0","personalWish":"","personal \
WishGender":"0","personalWishMinAge":"18","personalWishM \
axAge":"99","personalWishPublic":"1","personalWishFacebo \
okPublish":"1","statusTagId":"21","salutationId":&q \
uot;1","showEvents":"1","votingPrefs":"a:4:{s:10:\" \
categoryID\";i:1;s:6:\"gender\";i:2;s:6:\"minAge\";s:2:\"22\" \
;s:6:\"maxAge\";s:2:\"28\";}","languageID":"3",&quo \
t;websiteLang":"de","ranking":"151865","ranking_tmp":"151865","lastMakeMeTopDate":"2011-10-27 \
18:53:46","lastPowerRotatorDate":null,"lastUnlimitedMessagesDate":"2011-07-03 \
22:53:33","_votenMemberID":"3","languages":{"2":&qu \
ot;NONE","8":"NONE","1":"NONE"},"maritalStatus \
":6,"zodiacSign":"8","living":"0","sexuality&q \
uot;:1,"topPercentage":"7.47","deliveredVotes":"525",&qu \
ot;deliveredAverageRating":"9.73","deliveredVotesMales":"140" \
,"deliveredAverageRatingMales":"9.74","deliveredVotesFemales":&quo \
t;385","deliveredAverageRatingFemales":"9.73","countCharacteristic \
sInfo":"2","countPersonalityInfo":"2","countSearchPartne \
rInfo":"4","countQuestionnaireInfo":"0","figure":&q \
uot;4","eyeColor":"16","hairColor":"0","hairSt \
yle":"0","religion":"0","ethnicity":"0",& \
quot;mobility":"0","childrenNumber":"0","childrenWish&qu \
ot;:"0","schooling":"0","professionType":"0",& \
quot;professionBranch":"0","yearlyIncome":"0","workingHo \
ursPerWeek":"0","pet":"0","politicalAttitude":" \
;0","leisure":"0","music":"0","sport":&qu \
ot;0","sportActivity":"0","preferredFood":"2"," \
;cooking":"0","residence":"126","feelGood":"0& \
quot;,"sphere":"0","aimsInLife":"0","relationshipTy \
pe":"0","fidelity":"0","smoking":"0",&quo \
t;annoySmoking":"0","timeOfDayActivity":"0","orderliness \
":"0","attributes":"0","dressStyle":"0",& \
quot;searchType":"0","searchGeneral":"0","searchGeneralM \
inAge":"0","searchGeneralMaxAge":"0","searchGeneralSex&q \
uot;:"0","searchRelationship":"0","searchRelationshipMinAge&q \
uot;:"0","searchRelationshipMaxAge":"0","searchRelationshipSe \
x":"0","searchLeisure":"0","searchLeisureMinAge":&q \
uot;0","searchLeisureMaxAge":"0","searchLeisureSex":"0&q \
uot;,"searchTravel":"0","searchTravelMinAge":"0","s \
earchTravelMaxAge":"0","searchTravelSex":"0","searchAffa \
ir":"0","searchAffairMinAge":"0","searchAffairMaxAge&quo \
t;:"0","searchAffairSex":"0","searchOneNightStand":" \
;0","searchOneNightStandMinAge":"0","searchOneNightStandMaxAge&quo \
t;:"0","searchOneNightStandSex":"0","partnerHaveChildren" \
;:"10","partnerDoNot":"0","partnerDoNotText":"" \
;,"partnerImportance":"0","partnerImportanceText":"",&qu \
ot;partnerRoll":"0","partnerRollText":"","partnerConflic \
t":"0","partnerConflictText":"","partnerUnderstanding&qu \
ot;:"0","partnerUnderstandingText":"","identityCheck":&q \
uot;1","identityPicCheck":"1","countFavorites":"225" \
;,"countMatches":"7","countCoins":"217","countFansU \
nique":"73","countFansUnique_2":"212","countFans":& \
quot;73","countProfileVisitors":"40119","countProfileVisitorsThisM \
onth":"293","ignorePaymentTransaction":"0","freeCoinsDate":"2010-04-26 \
20:47:31","votenActivePremiumAccount":"0","emailVerification" \
:"1","designID":"0","newsletterCryptID":"3-7ovymZu& \
quot;,"notificationTypes":"2910","countLocationUpdateInfo":"3 \
","abuseAccount":"0","_coinsFree":"0","_coinsP \
ay":"0","lifeTimeValueRegisterMonth":"2010-04","fb_uid&q \
uot;:"100002339514730","fb_publishTypes":"62","fb_importVotes \
":"0","fb_name":"","fb_profile_url":"",&q \
uot;superRewardsCoins":"0","superRewardsCoinsUsed":"0"," \
freeMakeMeTop":"-1","internGroup":"0","peanutlabsCoins&q \
uot;:"0","betaLogin":"2","betaInvitationCode":"&quo \
t;,"countGifts":"162","betaRefCode":"","spotlightWe \
eklyCounter":"1","giftGameLevel":"0","giftGameLevelInfoL \
ayer":"0","useSmileysPremium":"0","mostFans":" \
0","mostGifts":"0","mostVideos":"0","mostQuest \
ions":"0","mostAnswers":"0","forwardEmailPeriod":&q \
uot;instantly","newsletterFormat":"html","lastLoginChange":&q \
uot;2011-06-22","showFacebookButton":"1","extraCoins":"0 \
","lk_uid":"0","freeSpotlight":"2","profileCom \
plete":"90","openid":"","countryName":"Germany \
","_sexuality":1,"_maritalStatus":6,"pictureInfo":{"thumbPath_2":"http:\/\/<a \
href="http://img.meetone.com">img.meetone.com</a>\/votingPics\/1002\/100____-oIoypES_thumb_2.jpg","profilePic":{"thumbPath":"http:\/\/<a \
href="http://img.meetone.com">img.meetone.com</a>\/votingPics\/1002\/100____-oIoypES%@.jpg" \
<div><br></div><div>After being informed by heise online <a \
href="http://www.h-online.com/security/news/item/Password-leak-at-meetOne-1652783.html">http://www.h-online.com/security/news/item/Password-leak-at-meetOne-1652783.html</a> \
the site closed at least this data leakage and reset the passwords of all its members. \
Unfortunately, they chose NOT TO INFORM their members of the data leakage (it seems it has been \
open for months, nobody knows, who retreived the data, as even the site owners admit), instead \
they disguised the password reset as a "regular routine", so users of the site, which \
happened to use the same password somewhere else, still consider their passwords safe.</div> \
<div><br></div><div>Due to the lackluster media interest and Apples non-reaction, we've \
seen no other choice than full disclosure in this case.</div></div><div><br></div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic