[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4b6ee93105030214104afea89b@mail.gmail.com>
From: xploitable at gmail.com (n3td3v)
Subject: Yahoo Messenger. Yahoo Mail vulnerable
Yahoo today introduced a year 10 promotion to allow users to buy a
free ice cream, and view propaganda on the last 10 years of Yahoo.
The location http://birthday.yahoo.com/netrospective/ has e-mail to
friend functionality. This e-mail to friend form offers no protection
to Yahoo Messenger or Yahoo! Mail users. A very evil and malicious
user can flood a Yahoo! Mail users inbox with non-stop e-mail
messages. Repeated messages usually goto the bulk folder
automatically. This mail to friend funtion at
http://mtf.news.yahoo.com/mailto?url=http%3A%2F%2Fbirthday.yahoo.com%2Fnetrospective%2F&title=Yahoo!+Happy+10th+Birthday&prop=birthday&locale=us
by-passes all Yahoo mail spam filters. Whats more is, if the victim is
a kean user of the Yahoo! Messenger service, you can bomb the victim
with non-stop dialog popup boxes notifying you of new mail, because
the spamed messages all goto the inbox, where the Yahoo! Messenger
mail notifier keeps an eye on. On a wider pciture of things, a very
evil and malicious user can slow down Yahoo's mail hardware by using
your harvested e-mail addresses you've been using for phishing on
Yahoo! Mail network. Yahoo! corporate mail is also effected by this
spam vulnerability. A very evil and malicious user can bring Yahoo's
internal mail system to a crawl, with your bot net, you were using to
make money from mareters who were paying you to spam inboxes with
under normal money manking circumstances.
Thanks for your time security community
n3td3v once again shows up Yahoo's bad security management. Heres to
another ten years!!!
This is my security list, its better than FD!! ;-)
http://groups-beta.google.com/group/n3td3v
My last advisory was the Google Groups script injection vulnerability.
Powered by blists - more mailing lists