[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4b6ee9310607110515m2400e96eh53ca364b49d421cb@mail.gmail.com>
Date: Tue Jul 11 15:11:23 2006
From: xploitable at gmail.com (n3td3v)
Subject: Yahoo IM spoofing
On 7/11/06, James Lay <jlay@...ve-tothe-box.net> wrote:
>
> Hey all!
>
> Just saw this today for the first time...someone actually spoofing IM's
> in yahoo chat. Is this a new exploit or did I miss something? Thank
> you.
>
> James
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
We stopped reporting instant message and voice chat exploits for Yahoo years
ago. There are at least 40 holes I know of which I know about but is sitting
on for a rainy day. Yahoo turned their back on instant message and voice
chat security when they decided not to have anyone talk to the localized
yahoo security community, to keep in touch with whats going on. Now Yahoo
are playing a 'blind date' between Yahoo _and_ the localized yahoo security
community. They get no early warnings for exploits, and often Yahoo are
finding out about exploits weeks after they have been exploited on their
production servers. It didn't used to be like that, often because Yahoo had
people in the community, they were able to know about exploits before they
reaches production servers. Because of the old early warning, incidents
would only add upto 'hackers attacking hackers' with exploits, now because
Yahoo are not finding out about exploits, the attacks are spreading out to
exploit 'consumers' outside of the localized yahoo security community. This
is because of a change in policy by Yahoo where they decided _not_ to
be-friend hackers anymore, to get early warning reports of 0day. Which is
confusing, because the system was working well, so much so, some folks at
Yahoo core security team were unofficially entertaining the idea to pay
folks to be informants per valid 0day reported to the be-friender(s). Yeah,
thats how bad the situation right now. There are no be-frienders anymore,
and backs are being turned by yahoo security team. The troubles for Yahoo
aren't going away anytime soon, because the number of exploits are still
there, just minus the intelligence they were getting from folks like n3td3v
and friends in the underground, who had intimate relationships with
employees over a wide period. Thats why theres more now on Yahoo leaking out
to mailing lists and to the media, because folks have no other choice,
theres no befrienders anymore, they are too busy protecting their job titles
now, after things got nasty. It turns out those Yahoo befrienders got into
n3td3v and the underground too deep, and they didn't know what the risks
might be for their career and reputation, and it didn't help them, because
even the befrienders have questionable security community backgrounds, so it
was easy for n3td3v and others to put pressure on them, when Yahoo weren't
meeting us half way. The biggest thing I managed to infulence them with was
getting them to implement the security.yahoo.com web site to give consumers
basic security information, another demand we made was that, a web link for
Yahoo 'Guide to Online Security' was placed on at the footer of all major
Yahoo property pages, in exchange for 0day. Theres other things we took
advantage of these befrienders for, but in the end, the demands got too
demanding, so they pulled out from talking to n3td3v and friends anymore.
Now Yahoo public exploits are increasing, along with network wide attacks on
mail, chat, instant message etc. Before Yahoo had it contained with their
'speical relationships' but as soon as they broke, so did communications,
and 'meet us half way' agreements. Theres now a new meaning for '0day in the
wild' between n3td3v and friends and Yahoo security team & befriender
employees, because exploits really are out there now, and Yahoo aren't
finding out until these exploits start affecting the global security
situation on the internet, far outreaching Yahoo. Where big firms like
Symantec and online media journalists are involved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060711/eb7f4ce5/attachment.html
Powered by blists - more mailing lists