| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: xploitable at gmail.com (xploitable) Subject: Yahoo! Spam Attack Mailers Should I bother naming the Yahoo! service anymore or just start listing the mailers. mailer3.bulk.scd.yahoo.com is vulnerable to be used to attack Yahoo! mail network and by the way it seems all the bulk mailers are vulnerable. I would imagine all the way up the numbers, such as mailer1, mailer2, mailer3 and so on. This one is used when a user clicks on a "Add to My Yahoo!". The service allows Yahoo! consumers to add an RSS Yahoo! module to a consumers My Yahoo! page. A link is then available for the consumer to send the same module to a friend. Also Yahoo! News "E-mail this story to a friend" uses the same bulk mailer. All vulnerable to be used to attack Yahoo! Mail accounts. Mail will goto the inbox and not the bulk mail folder. Allowing a malicious user to very quickly flood inbox with repeated My Yahoo! RSS module links or Yahoo! News story links. Example for My Yahoo! RSS module mail to a friend page: http://mtf.news.yahoo.com/mailto?url=http%3a//e.my.yahoo.com/config/cstore%3f.opt=content%26.node=1%26.sid=171771&title=Choose+Content&prop=mycstore&locale=us&h1=ymessenger+at+Yahoo!+Groups&h2=n3td3v&h3=http%3a//my.yahoo.com Example for Yahoo! News story link mail to a friend page: http://mtf.news.yahoo.com/mailto?url=http%3a//story.news.yahoo.com/news%3ftmpl=story%26u=/ap/20041006/ap_on_re_mi_ea/us_iraq_weapons&title=U.S.+Report+Finds+No+Evidence+of+Iraq+WMD%0a&prop=dailynews&locale=us&h1=ap/20041006/us_iraq_weapons&h2=T&h3=540 -- http://www.geocities.com/n3td3v
Powered by blists - more mailing lists