lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 28 Aug 2006 21:55:06 +0200
From: Anders B Jansson <hdw@...listi.se>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Re:multi billion dollar corporation hasnt blah
	blah

Oh, something almost comprehensible from a surprising source.

However, I think you need some ABC in corporate security.

Jeb Bush wrote:
> The flaw allows you to read the victim's status message.
> 
> This means telephone numbers.... etc.... whatever the victim adds to
> their status message is disclosed.
Oh, the horror.
> 
> In short, you can read your victims ignore list. This is very useful
> to launch attacks with.
> 
> Usually when the victim removes you from their list and adds you to
> their ignore list, their online status goes offline forever.
> 
> However, if attacker goes to
> http://manage.members.yahoo.com/index_listprofiles.html and create a
> secondry yahoo i.d on the same account and the attacker logs back into
> yahoo messenger on the new second yahoo i.d on the same account, then
> everyone who ignored you reappears as online with telephone numbers,
> corporate links....corporate info thats in the employees status
> message.
> 
> you can use this to
> 
> detect all your yahoo i.d's a person has ignore
> 
> read someones status message with confidential info
Why in the world would anyone put 'confidential' information in their status?
On an Internet wide service?

If any corporation anywhere allows their employees to use yahoo for corporate use they soo deep in the yoghurt that this is the smallest of their issues.

> this has been vulnerable for years and years
> 
> yahoo are well aware of it
And so is anyone engaged in corporate security.
Many companies use various 'messenger' software internally, but only on secure corporate nets, against secure corporate servers.
Connecting to any form of external platform is 1, against corporate policy, 2, denied by firewalls and proxies.

You can of course bypass that, but that is equal to industrial sabotage and leads to 1, you're fired, 2, you're sued for damage.

There's tons of security issues with every online 'communtity' service.
But they're personal security issues, not a corporate security issue.

And as stated, if an issue like this would ever touch corporate security than that corporation is soo deep in yoghurt that this would be the least of the problems.

-- 
// hdw

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ