| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY12-F11EE06BAA62FEBD91FEE62B70D0@phx.gbl> Date: Tue May 24 07:47:08 2005 From: smaillist at hotmail.com (Sowhat .) Subject: Yahoo! Mail Username Information Disclosure Vulnerability Yahoo! Mail Username Information Disclosure Vulnerability By Sowhat 2005.05.23 http://secway.org/advisory/ad20050523.txt Vendor Yahoo! Inc. OverView: Yahoo! Mail (http://mail.yahoo.com) is one of the Web's largest, most popular free email providers.Yahoo! Mail helps people stay in touch at home, at work or while traveling for business or pleasure. Yahoo! Mail is fully integrated with Yahoo!’s many other popular services to make it easy to access all the Internet services people need. Yahoo! Mail has received a variety of prominent industry accolades including “Best Free E-Mail” for three years by PC World, and CNET Editors’ Choice awards. Details: There is a Design flaw in the Yahoo! Email will Disclosure Username Information to the attacker and thus can be used to harvest all the EMAIL Address @yahoo.com,and can be used to spam the user or crack the password in some reverse way. The vulnerability specificlly exist in the following page: SBC Yahoo! http://login.yahoo.com/config/login?.partner=sbc&.done=http%3a//sbc.yahoo.com/ ( Note that http://mail.yahoo.com is not vulnerable :) This login page will responding with different messages with regards to the validity of an entered username. For example , If you enter a username which doesnt exist, "SowhatS0what",with any password,it will return:"This Yahoo! ID does not exist. Are you trying to sign up as SowhatS0what". If you enter a valid username such as "Sowhat" with wrong password such as "secway.org", It will return "Invalid Password ". And also, it seems that They didnt limit the times you can try to login as different users,So,it's fairly easy to write a script to automatically harvest all the valid username (The Email Address). Maybe This will be a bad news to the Yahoo! user, since maybe they will recieve more "interesting" Emails. And Also, the attacker can do something else such as brute force the password in reverse way. For example,harvest enough valid username,then brute force whose password is "passw0rd" Vendor Response: I had dropped a mail to security@...oo-inc.com in 2005-05-17 ,But no response yet,Maybe they think that Yahoo! Mail have a good Spam filter :) So finally I decide to release it. It is not fixed until I send this Advisory #btw: I have tried to post this msg to FD from Gmail many many times BUT failed, does anyone else suffer this ? _________________________________________________________________ 享用世界上最大的电子邮件系统— MSN Hotmail。 http://www.hotmail.com
Powered by blists - more mailing lists