| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: xploitable at gmail.com (xploitable) Subject: Yahoo! Spam Filter Vulnerability > xploitable <xploitable@...il.com> wrote: > > Yahoo! Tuesday made public a preview of its coming new and improved homepage. > > A link from Yahoo!s homepage takes you to > http://www.yahoo.com/promos/learn.html, where users can learn more > about the new and improved functionality. > > On the learn.html page is a link > http://promotions.yahoo.com/frontpage_04/ud/fp2_taf.html to invite > friends or co-workers to view the New and Improved Homepage. > > This feature allows anyone to spam the Yahoo! Mail servers. Consumer > or Corporate mailboxes will be flooded with repeated invites, if a > malicious users codes a simple program to do so. > > All spammed invites do not goto the bulk folder as they should, they > arrive on the inbox, as repeated invites. > > This allows a malicious users to quickly bring Yahoo! Mail network to > a crawl and fill up a victims storage space very, very quickly. > > Yahoo! were notified of a similar vulnerability for its Yahoo! Mail > spam filters earlier this year with regards of its invite feature, on > the Yahoo! Messenger 6 IM client, it seems Yahoo! do not learn from > past mistakes. > > For this current vulnerability, the vendor has not been contacted. > > Happy Yahoo! Mail flooding. > > Discovered today by n3td3v > > -- > http://www.geocities.com/n3td3v - Yahoo! Security Forum *Online*. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html Yahoo! security professionals have now fixed this flaw in security. If I had sent this to Yahoo!s security address from my personal past experiences, this flaw would still be pending and possibly have taken upto a week for Yahoo! security professionals to get round to implementing a solution. This is proof that indeed full-disclosure does work, even if its considered evil to post information which script kiddies could act upon to commit malicious activities on Yahoo! I only made this full disclosure after trying over several months to make contact with Yahoo! security professionals on other security matters, without success. This was more my way of testing my theory that Yahoo! security professionals would infact raise the priority of a problem to be fixed, if a public disclosure was made to a security community mailing list, such as "Full-Disclosure". I advise others to try and make contact with security professionals first by using security@...oo-inc.com, but if you fail to get any common sense feedback from them, by all means, post flaws in security to a public mailing list. This way you can be sure, the flaw will be put to the top of Yahoo!s to-do-list agenda, before any other technical vulnerability. Hopefully someone at Yahoo! will learn something from this, but probably not. They'll undoubtly keep treating everyone like shit. -- http://www.geocities.com/n3td3v - Yahoo! Security Forum *Online*.
Powered by blists - more mailing lists