lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 15 Aug 2006 19:18:11 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: RE: Yahoo/Geocities possible exploit/vulnerability

Jain, Siddhartha wrote:

> The phishing apart, how can a userid be spoofed on Yahoo Messenger? Is
> this something trivial? I thought Yahoo fixed the issue with Y!Messenger
> 5.0.

Ummmm -- unless I'm missing something here (and as I've already said 
I'm NOT a YIM expert), in any system (like YIM) that only does user 
identification through a username-and-password-style login, if someone 
knows your username and password, then that someone _is_ you as far as 
said system is concerned.  Of course, the phishers (or their bots) 
behind this scam are not really you, but YIM doesn't know that, so to 
YIM there is no spoofing -- when the phisher/bot did a YIM login with 
your credentials, as far as YIM was concerned, _you_ were logging in...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ