lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu Apr 21 20:01:04 2005
From: xploitable at gmail.com (n3td3v)
Subject: No notification security team presents

A n3td3v production by a non-team of prior notification of the vend0r, hahaha.

I have contacted Yahoo twice since the 29th of March 2005 on this issue.

The Yahoo 360 website offers social networking and blogging, all in one.

This service allows presently for viewers of a blog to leave comments
related to an entry made by the blog owner.

This blog entry allows a evil malicious users to flood the entry with
countless comments.

A evil and malicious user could flood with garbage messages, just to
annoy the blog owner.

However, a evil and very malicious user could make money by using his
bot network, to spam the entire Yahoo 360 network of blog entires with
"comment spam".

This spam may contain e-commerce propaganda, to get a user to click a
URL to buy a product.

Whats more though is, A very evil and malicious user could use this
vulnerability for "phishing" purposes.

This spam may contain very evil and malicious content and URL to lure
an unsuspecting user into visiting a specified location, with, just
for instance, a fake Yahoo login page.

This spam/flood vulnerabilty offers many options on a number of
levels, for the malicious user to choose from.

A solution could be implemented, where a legitimate user is asked to
enter a word, to verify no bot is present.

Also, I believe from sources, that the Yahoo 360 network is vulnerable
from a  number of different types of DDoS attacks, generally. This is
unrelated specifically to the comment spam vulnerability I have
disclosed to you today.

So, anyway, Yahoo had the opportunity one month ago to patch this
problem. Yahoo security admins were aware. They obviously didn't pass
on the information to the Yahoo 360 team, therefore, they are
accountable for misconduct.

After realising this misconduct, I made a second advisory. This second
advisory was made to the Yahoo 360 team directly, via a newly
published blog. The address for the blog comment made on the Yahoo 360
team blog is http://blog.360.yahoo.com/blog-1qCkw2Ehaak.hdNZkEAzDrpa4Q--?p=2#comment
under the alias "n3td3v".

Thanks, n3td3v

http www geocities com n3td3v

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ