Re: Yahoo Webmail Sessions

["Paul Kurczaba" <paul () myipis com>]

Maybe the problem lays within the "Last-Modified: " property of the HTTP
response. In your case, the proxy server believes the webmail page hasn't
changed, therefore it gives you the earlier users page; the cookie on your
computer doesn't match the earlier person's webmail session, therefore you
get the error. What happens if you clear the cache on the proxy server?

-Paul Kurczaba
----- Original Message ----- 
From: "Rohit" <rohits79 () yahoo com>
To: <security-basics () securityfocus com>
Sent: Tuesday, May 18, 2004 1:15 AM
Subject: Yahoo Webmail Sessions


> Hi All!!!,
>
> This is the third time I saw some one else's inbox
> i.e Yahoo Webmail, being opened right after signing in
> with my credentials.
>
> After typing in the credentials, I get an entirely new
> session. Further if I try to click open "Check mail" I
> get an - "invalid mailbox state" error.
>
> I am using mozilla firefox browser(on win2k) and am
> behind squid. Similarly in my last company ditto
> phenomenon occured ( but only once) using ISA proxy
> server (ISA plugin).
>
> Am I being sniffed etc ...
> Please can anyone give any pointers how this can
> happen and how can I avoid my session being hijacked
> to others similarly.
>
> Thanks
> rohit
>
>
>
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! - Internet access at a great low price.
> http://promo.yahoo.com/sbc/
>
> --------------------------------------------------------------------------
-
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------