Full Disclosure mailing list archives
No notification security team presents
From: n3td3v <xploitable () gmail com>
Date: Thu, 21 Apr 2005 20:00:56 +0100
A n3td3v production by a non-team of prior notification of the vend0r, hahaha. I have contacted Yahoo twice since the 29th of March 2005 on this issue. The Yahoo 360 website offers social networking and blogging, all in one. This service allows presently for viewers of a blog to leave comments related to an entry made by the blog owner. This blog entry allows a evil malicious users to flood the entry with countless comments. A evil and malicious user could flood with garbage messages, just to annoy the blog owner. However, a evil and very malicious user could make money by using his bot network, to spam the entire Yahoo 360 network of blog entires with "comment spam". This spam may contain e-commerce propaganda, to get a user to click a URL to buy a product. Whats more though is, A very evil and malicious user could use this vulnerability for "phishing" purposes. This spam may contain very evil and malicious content and URL to lure an unsuspecting user into visiting a specified location, with, just for instance, a fake Yahoo login page. This spam/flood vulnerabilty offers many options on a number of levels, for the malicious user to choose from. A solution could be implemented, where a legitimate user is asked to enter a word, to verify no bot is present. Also, I believe from sources, that the Yahoo 360 network is vulnerable from a number of different types of DDoS attacks, generally. This is unrelated specifically to the comment spam vulnerability I have disclosed to you today. So, anyway, Yahoo had the opportunity one month ago to patch this problem. Yahoo security admins were aware. They obviously didn't pass on the information to the Yahoo 360 team, therefore, they are accountable for misconduct. After realising this misconduct, I made a second advisory. This second advisory was made to the Yahoo 360 team directly, via a newly published blog. The address for the blog comment made on the Yahoo 360 team blog is http://blog.360.yahoo.com/blog-1qCkw2Ehaak.hdNZkEAzDrpa4Q--?p=2#comment under the alias "n3td3v". Thanks, n3td3v http www geocities com n3td3v _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- No notification security team presents n3td3v (Apr 21)