[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e22p7r$5rq$1@sea.gmane.org>
Date: Tue Apr 18 14:23:43 2006
From: davek_throwaway at hotmail.com (Dave "No, not that one" Korn)
Subject: Re: [Argeniss] Alert - Yahoo! Webmail XSS
Morning Wood wrote:
> reflecting on this...
>
> the offending url you give is http://w00tynetwork.com/x/
> which contains a fake yahoo login ( for webmail )
> (( and other exploits embedded within the site ))
>
>
> you state this is a Yahoo Email vulnerability.
>
> stop me if im wrong...
> why would anyone be vulnerable to a Yahoo login redirect phish, if in
> fact they are already logged in to read the mail in the first place.
Dunno about anyone else, but I have occasionally found that Yahoo has a
bad habit of forgetting I'm authenticated and continually requiring me to
relogin even in one continuous session.
> i can appriciate the possibility of XSS within the Yahoo webmail
> interface, just not
> with this particular redirect code ( or site url ) you provide.
>
> XSS could be more effectivly used to leverage a browser exploit,
> rather than ( trying to )
> steal your credentals ala phishing
Well, maybe they were hoping to be able to read his mail stealthily later
on, while he wasn't logged in? If you want to steal the entire contents of
someones mailbox, you don't really want to use an XSS to automatically
forward all the mail to somewhere you can get it, since that amount of
scripting would likely take a noticeable amount of time and transactions
with yahoo's servers to run and the slow responsiveness of the browser might
give a clue that something was going on; a better way is just to get their
password and then login sometime when they're not online or perhaps use the
pw with POP/IMAP to snarf down the entire lot.
Or perhaps they were hoping that he uses the same pw in lots of places?
cheers,
DaveK
--
Can't think of a witty .sigline today....
Powered by blists - more mailing lists