lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4b6ee9310608281048h3d4ee606ic5d8daa353f49f62@mail.gmail.com>
Date: Mon, 28 Aug 2006 18:48:37 +0100
From: "Jeb Bush" <xploitable@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Re:multi billion dollar corporation hasnt blah
	blah

On 8/28/06, Jeb Osama <mkmaxx@...il.com> wrote:
>
>
> > From: "Jeb Bush" <xploitable@...il.com >
> > Subject: [Full-disclosure] Fwd: multi billion dollar corporation hasnt
> >         fixed   its privacy flaw yet
> >
> > ---------- Forwarded message ----------
> > From: Jeb Bush < xploitable@...il.com>
> > Date: Aug 26, 2006 11:20 PM
> > Subject: multi billion dollar corporation hasnt fixed its privacy flaw yet
> > To: security@...oo-inc.com
> >
> >
> > if you agree to add each other as a friend on yahoo messager
> >
> > and one user decides to ignore you
> >
> > the malicious user who was ignored only needs to create a secondary
> > yahoo id on the same account to see the persons online status
> >
> > regards
> >
> > -Jeb
> >
> >
>
> Were you always shunned by your kind??
>
> Regards
> Jeb

This is an old flaw thats been left for years by the Yahoo security team.

There is history behind it.

The flaw has been used countless times to launch attacks against Yahoo
employees.

The flaw allows you to read the victim's status message.

This means telephone numbers.... etc.... whatever the victim adds to
their status message is disclosed.

In short, you can read your victims ignore list. This is very useful
to launch attacks with.

Usually when the victim removes you from their list and adds you to
their ignore list, their online status goes offline forever.

 However, if attacker goes to
http://manage.members.yahoo.com/index_listprofiles.html and create a
secondry yahoo i.d on the same account and the attacker logs back into
yahoo messenger on the new second yahoo i.d on the same account, then
everyone who ignored you reappears as online with telephone numbers,
corporate links....corporate info thats in the employees status
message.

you can use this to

detect all your yahoo i.d's a person has ignore

read someones status message with confidential info

phish and socially engineer a victim (based on info in their status
message, pretend to be a someone on their legitimate list of friends
etc)

use in conjunction with a bigger attack launched against yahoo
employees and yahoo dot com (or any other company)

basically....

once a yahoo user agrees to add you as a friend on yahoo messenger,
you are basically agreeing for life, with this flaw. even though the
current yahoo messenger ignore is ment to protect your status message
info and privacy, it doesn't

this has been vulnerable for years and years

yahoo are well aware of it

the cause of the flaw is because yahoo doesn't remove yahoo i.d's from
both friends list

the victims i.d stays on the attackers list forever... all it takes is
a secondary yahoo i.d to be created by the attacker, from the original
yahoo i.d the victim agreed to add to their friends list all those
years ago.

theres a lot of folks i have on my list who thought they had ignored
me years ago, but to this day i.ve been reading all the info and web
links they've been putting in their yahoo messenger status!

if you think this flaw isn't serious, you haven't heard the half of
the security incidents that occur because of it.

It is good as well for a yahoo messenger worm, because the attacker
knows which of his yahoo i.d's are ignored, so can create new ones
which he knows will reach the victims i.m box.

the victim never finds out at any stage whats going on, as far as the
victim knows, the attacker is gone, and the victim thinks they know
who can see the status message .eg...friends...not enemies.

don't play with me and my intelligence Mike M you know its a threat
and if i'm telling you about it then you know it can be used to hack
yahoo employees

-Jeb

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ