Plaxo Security Bulletins
March 15, 2004
Plaxo addresses phishing vulnerability reported on in ZDNET UK Article
Plaxo was notified by the European security firm, Lodoga, which had identified a phishing vulnerability on the Plaxo Web User sign-in page. With the assistance of Lodoga, Plaxo fixed the vulnerability within an hour of receiving the report and before the publishing of the ZDNET UK article. The fix was also verified by Lodoga security experts, as the reporting user.
Limited in scope to the smaller population of Plaxo Web users, the vulnerability required tricking a Plaxo member into clicking a specifically crafted hyperlink that would lead the user to a doctored page.
After a security review of all Plaxo accounts and logs, we do not believe any user's data was compromised beyond those who reported the problems. Nevertheless, we've made a number of additional changes and security enhancements in order to minimize the occurrence of these types of problems.
Current Status: Resolved. No action required by Plaxo Users.
March 12, 2004
Plaxo addresses code injection vulnerability reported on SecurityFocus BugTraq Mailing List
Plaxo was notified by readers of the BugTraq Mailing List of a vulnerability that allowed arbitrary code injection into a Plaxo user's Web account. Within hours of the BugTraq posting, the vulnerability was fixed and a patch was deployed to our server environment.
Limited in scope to the smaller population of Plaxo Web Users, the vulnerability required the malicious user to already be in a Plaxo user's address book and to have received a Plaxo Update Request from the potential victim. A security review of all Plaxo accounts showed that only the reporting user was impacted. Changes to how user data is processed and presented have been made to minimize the occurrence of these types of problems again.
Current Status: Resolved. No action required by Plaxo Users.
Questions and comments about these bulletins can be sent to:
