| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <44E21DF3.9558.AA465A1F@nick.virus-l.demon.co.uk> Date: Tue, 15 Aug 2006 19:18:11 +1200 From: Nick FitzGerald <nick@...us-l.demon.co.uk> To: full-disclosure@...ts.grok.org.uk Subject: RE: Yahoo/Geocities possible exploit/vulnerability Jain, Siddhartha wrote: > The phishing apart, how can a userid be spoofed on Yahoo Messenger? Is > this something trivial? I thought Yahoo fixed the issue with Y!Messenger > 5.0. Ummmm -- unless I'm missing something here (and as I've already said I'm NOT a YIM expert), in any system (like YIM) that only does user identification through a username-and-password-style login, if someone knows your username and password, then that someone _is_ you as far as said system is concerned. Of course, the phishers (or their bots) behind this scam are not really you, but YIM doesn't know that, so to YIM there is no spoofing -- when the phisher/bot did a YIM login with your credentials, as far as YIM was concerned, _you_ were logging in... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists