Date: Sat Jun 24 23:39:15 2006
From: n3td3v at gmail.com (n3td3v)
Subject: Beginners guide to owning Yahoo network

Yahoo Messenger web form allows you to socially engineer your victim to send
you a Yahoo Messenger invite,
the Yahoo employee or Yahoo user at no point will ever know their default
e-mail address,
matching the e-mail address within their Yahoo account information page has
been e-mailed to the attacker.

Here is the proof of concept:
http://groups.google.com/group/n3td3v/browse_thread/thread/e87fd21e6c898eae/fb52c0a5386aab42#fb52c0a5386aab42

Where says "n3td3v-owner@...glegroups.com" is the default e-mail address of
Yahoo account.
This information wasn't submitted by the Yahoo account owner, it is sent by
the Yahoo system
automatically without account owner interaction or notification. The
attacker now has full
disclosure of the victims e-mail address attached to victims Yahoo account
for resetting an account
password.

Basic social engineering concept:

attacker: hi
victim: hi
attacker: can you invite me to use yahoo messenger?
victim: sure, how do i do it?
attacker: just goto tools > manage friends > invite friend to sign up
attacker: or goto http://messenger.yahoo.com/invitefriends.php
victim: ok babe, whats your e-mail address?
attacker: random@...acker.net
victim: sent!

Vulnerable:
option 1. By instant messaging victim via Yahoo Messenger:
Yahoo Messenger users via application (all versions),
could be exploited in robot-based (including virus/worm) social engineering
and phishing attack on Yahoo Messenger network, asking victim to select
"invite friend to sign-up" with e-mail address of attacker in the
instant message.

option 2. By e-mailing victim via Yahoo Mail:
Yahoo Mail users via http://messenger.yahoo.com/invitefriends.php
could be exploited in robot-based (including virus/worm) social engineering
and phishing attack on Yahoo Mail network, asking victim to visit invite
link with e-mail address of
attacker in e-mail message.

option 3. Also via e-mail, you can setup your own webpage, by modifying the
original web form script, to look like
a Yahoo web form of your choice, if you do not want to make the form look
related to Yahoo Messenger.
You could dress the web form up to look like a Yahoo News article e-mail to
friend form, for example.
The third party malicious webpage form can be done, because additionally,
the original e-mail a Yahoo
Messenger invite form has no word verification system, allowing the invite
form to be placed on an
attackers webpage, than Yahoo's legitimate web page location at
http://messenger.yahoo.com/invitefriends.php

option 4. Once the attacker robot has been sent the default e-mail of the
Yahoo! ID, you can then write your robot to send
malicious acitvity to the disclosed e-mail address, and other ideas I won't
mention on a public list to make your attack even stronger (like an e-mail
pretending to be Yahoo account services, or exploit code payload, even XSS
code is enough). Though basically, you can use this vulnerability
as part of bigger world-wide virus project you are currently developing, in
conjunction with other vulnerabilities.

Vendor: Yahoo is now notified via full-disclosure@...ts.grok.org.uk

Credit: n3td3v

Web: http://n3td3v.googlepages.com

Yahoo, you make i.m based and e-mail based bot/worm/virus attacks on your
network possible, with
such lame security attack vectors as this.

Who is the real lamer, the people showing up your lack of basic security, or
you, the people who miss out
such obvious attack vectors, which can, because you are Yahoo, affect
hundreds of thousands of users globally.

We may publish a list of e-mail addresses later, with Yahoo! ID's attached
that we managed to harvest in a test run
of this vulnerablity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060624/c3510eff/attachment.html

Powered by blists - more mailing lists