lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Apr 18 14:23:43 2006
From: davek_throwaway at hotmail.com (Dave "No, not that one" Korn)
Subject: Re: [Argeniss] Alert - Yahoo! Webmail XSS

Morning Wood wrote:
> reflecting on this...
>
> the offending url you give is http://w00tynetwork.com/x/
> which contains a fake yahoo login ( for webmail )
> (( and other exploits embedded within the site ))
>
>
> you state this is a Yahoo Email vulnerability.
>
> stop me if im wrong...
> why would anyone be vulnerable to a Yahoo login redirect phish, if in
> fact they are already logged in to read the mail in the first place.

  Dunno about anyone else, but I have occasionally found that Yahoo has a 
bad habit of forgetting I'm authenticated and continually requiring me to 
relogin even in one continuous session.

 > i can appriciate the possibility of XSS within the Yahoo webmail
> interface, just not
> with this particular redirect code ( or site url ) you provide.
>
> XSS could be more effectivly used to leverage a browser exploit,
> rather than ( trying to )
> steal your credentals ala phishing

  Well, maybe they were hoping to be able to read his mail stealthily later 
on, while he wasn't logged in?  If you want to steal the entire contents of 
someones mailbox, you don't really want to use an XSS to automatically 
forward all the mail to somewhere you can get it, since that amount of 
scripting would likely take a noticeable amount of time and transactions 
with yahoo's servers to run and the slow responsiveness of the browser might 
give a clue that something was going on; a better way is just to get their 
password and then login sometime when they're not online or perhaps use the 
pw with POP/IMAP to snarf down the entire lot.

  Or perhaps they were hoping that he uses the same pw in lots of places?


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ