lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat Jun 24 23:39:15 2006 From: n3td3v at gmail.com (n3td3v) Subject: Beginners guide to owning Yahoo network Yahoo Messenger web form allows you to socially engineer your victim to send you a Yahoo Messenger invite, the Yahoo employee or Yahoo user at no point will ever know their default e-mail address, matching the e-mail address within their Yahoo account information page has been e-mailed to the attacker. Here is the proof of concept: http://groups.google.com/group/n3td3v/browse_thread/thread/e87fd21e6c898eae/fb52c0a5386aab42#fb52c0a5386aab42 Where says "n3td3v-owner@...glegroups.com" is the default e-mail address of Yahoo account. This information wasn't submitted by the Yahoo account owner, it is sent by the Yahoo system automatically without account owner interaction or notification. The attacker now has full disclosure of the victims e-mail address attached to victims Yahoo account for resetting an account password. Basic social engineering concept: attacker: hi victim: hi attacker: can you invite me to use yahoo messenger? victim: sure, how do i do it? attacker: just goto tools > manage friends > invite friend to sign up attacker: or goto http://messenger.yahoo.com/invitefriends.php victim: ok babe, whats your e-mail address? attacker: random@...acker.net victim: sent! Vulnerable: option 1. By instant messaging victim via Yahoo Messenger: Yahoo Messenger users via application (all versions), could be exploited in robot-based (including virus/worm) social engineering and phishing attack on Yahoo Messenger network, asking victim to select "invite friend to sign-up" with e-mail address of attacker in the instant message. option 2. By e-mailing victim via Yahoo Mail: Yahoo Mail users via http://messenger.yahoo.com/invitefriends.php could be exploited in robot-based (including virus/worm) social engineering and phishing attack on Yahoo Mail network, asking victim to visit invite link with e-mail address of attacker in e-mail message. option 3. Also via e-mail, you can setup your own webpage, by modifying the original web form script, to look like a Yahoo web form of your choice, if you do not want to make the form look related to Yahoo Messenger. You could dress the web form up to look like a Yahoo News article e-mail to friend form, for example. The third party malicious webpage form can be done, because additionally, the original e-mail a Yahoo Messenger invite form has no word verification system, allowing the invite form to be placed on an attackers webpage, than Yahoo's legitimate web page location at http://messenger.yahoo.com/invitefriends.php option 4. Once the attacker robot has been sent the default e-mail of the Yahoo! ID, you can then write your robot to send malicious acitvity to the disclosed e-mail address, and other ideas I won't mention on a public list to make your attack even stronger (like an e-mail pretending to be Yahoo account services, or exploit code payload, even XSS code is enough). Though basically, you can use this vulnerability as part of bigger world-wide virus project you are currently developing, in conjunction with other vulnerabilities. Vendor: Yahoo is now notified via full-disclosure@...ts.grok.org.uk Credit: n3td3v Web: http://n3td3v.googlepages.com Yahoo, you make i.m based and e-mail based bot/worm/virus attacks on your network possible, with such lame security attack vectors as this. Who is the real lamer, the people showing up your lack of basic security, or you, the people who miss out such obvious attack vectors, which can, because you are Yahoo, affect hundreds of thousands of users globally. We may publish a list of e-mail addresses later, with Yahoo! ID's attached that we managed to harvest in a test run of this vulnerablity. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060624/c3510eff/attachment.html
Powered by blists - more mailing lists