| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 21 Sep 2008 17:33:00 +1200 From: Nick FitzGerald <nick@...us-l.demon.co.uk> To: full-disclosure@...ts.grok.org.uk Subject: Re: ITTS012008 - YAHOO WEB MAIL URL REDIR Martin Fallon wrote: <<big snip>> > > VI - CRONOLOGY > ---------------- > > 09/09/2008 - Vulnerability Discovered. > 09/10/2008 - Attempt to contact yahoo - no success. > 09/11/2008 - Attempt to contact yahoo - no success. > 09/15/2008 - Attempt to contact yahoo - no success. > 09/20/2008 - Advisore Published. Sometimes I wonder why we bother... This has been used in the past (and maybe even to phish Yahoo -- not sure now). Several times. And reported thusly. Maybe Yahoo just doesn't care? They fixed this same redirector issue on other Yahoo sub-domains, but missed (or chose not to fix it on) the "login" sub-domain. The gibbons in their web dev teams must be seriously underpaid, or just don't care. The Yahoo! security wonks who got this fixed on the other sub-domains back in February will be a tad pissed at the gibbons for missing this instance though, I suspect... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists