View Full Version : Yahoo Mail Authentication Bypass
ddlmail
08-01-2006, 05:14 AM
Yahoo Multiple Vulnerabilities
Various Yahoo! services are vulnerable to authentication bypass, session
binding, weak cookie encoding, cross-site scripting file inclusion and url
redirection vulnerabilities, which is caused due to improper validation of
user-supplied inputs.
*. Authentication Bypass and Session Binding Vulnerability.
A malicious user can log on to the yahoo without submitting the username
and password by constructing a malicious URL using cookies.
2. Cookie Encoding Security Weakness
*. Cross-Site Scripting.
4. URL redirection.
Full Story in http://www.xdisclose.com
_________________________________________________________________
Ezekiel
08-01-2006, 06:38 AM
This is a serious threat to yahoo users' privacy, just click this link and you bypass any sort of authentication to get into a test account:
http://msg.edit.**********/config/reset_cookies?&.y=Y=v=*%26n=0kvgvgv*qlf**%26l=i42.j4ij/o&.t=T=sk=DAAq25kB4yjEbw%26d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egExemt6RUJnV0E-&.done=http%*a//mail.**********
Now why do I know this (interesting) thread will get NO replies, while the 'password hacking requests here' will get 20 more posts from retarded kids.
toast
08-01-2006, 01:26 PM
Oh shit, it worked. Wow...I didnt realize it, till I did it...
This is sad....
T
icedcold
08-17-2006, 04:04 PM
Wow...thats crazy....man....
hack_victim100
08-18-2006, 01:03 AM
Hey Mike,
When I clicked on the link it just gave me a login page. What exactly did u mean by bypass of authentication process.
Please let me know.
Thanks.
Hack Victim
hack_victim100
08-18-2006, 02:30 PM
Hey Toast and Icecold,
Please let me know what did u mean when u said it worked. for me its just giving me a login page. I need to know this as it might help me regain access to my hacked account. Please let me know.
Thanks.
D
Ezekiel
08-19-2006, 05:44 AM
Hey Mike,
When I clicked on the link it just gave me a login page. What exactly did u mean by bypass of authentication process.
Please let me know.
Thanks.
Hack Victim
They probably fixed it now. But it only logged into the account because the user's encrypted password or whatever was included in the URL. You are not gonna get into someone's account with this, even if they didn't fix it.
toast
08-21-2006, 04:13 PM
I was wondering if it is possible to mimic the little security lock when making a fake login page. You know the off color url box and the lock….
I was thinking it is possible but I’m not sure.
~Thanks~ Toast
Ezekiel
08-21-2006, 06:58 PM
I was wondering if it is possible to mimic the little security lock when making a fake login page. You know the off color url box and the lock….
I was thinking it is possible but I’m not sure.
~Thanks~ Toast
Not the off color address bar (which is only in firefox, isn't it? I haven't used IE in so long now...), but you could possibly mimic the security lock with a custom favicon. I don't know if the alignment would be right (and it would only look correct in the browser which you took the icon from), but it's worth investigating.
I can provide more info on what favicons are, but i'm too busy right now. Wikipedia can though (http://en.wikipedia.org/wiki/Favicon).
toast
08-22-2006, 10:38 AM
Cool, thanks! (and yes for the color bar in firefox; I dont use IE anymore either...)
I'll do some more digging.
~T
Ezekiel
08-22-2006, 02:20 PM
Well, immediately after I posted yesterday I realized that favicons are placed on the LEFT side of the address bar; and firefox shows the 'padlock icon' on the right of the address bar, and IE shows it right at the bottom-left of the browser.
Oh, and favicons are the little icons websites show, and are placed to the left of the URL in the address bar. All-nettools.com has one, with an 'i' in it.
In conclusion - using a favicon to show a fake padlock icon will only fool dumb internet users. Which is actually most of the population, according to a phishing report I read a couple of days ago.
toast
08-22-2006, 02:42 PM
lol, Thanks Mike.
:)
ddlmail
08-28-2006, 04:34 AM
The advisory is removed from the site. :(
Ezekiel
08-28-2006, 02:07 PM
The advisory is removed from the site. :(
Google found the document in another location. (http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060620/0*a*8*05/XD*0000*.txt)
Powered by vBulletin® Version 4.1.8 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.