Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

No notification security team presents

From: n3td3v <xploitable () gmail com>
Date: Thu, 21 Apr 2005 20:00:56 +0100
A n3td3v production by a non-team of prior notification of the vend0r, hahaha.

I have contacted Yahoo twice since the 29th of March 2005 on this issue.

The Yahoo 360 website offers social networking and blogging, all in one.

This service allows presently for viewers of a blog to leave comments
related to an entry made by the blog owner.

This blog entry allows a evil malicious users to flood the entry with
countless comments.

A evil and malicious user could flood with garbage messages, just to
annoy the blog owner.

However, a evil and very malicious user could make money by using his
bot network, to spam the entire Yahoo 360 network of blog entires with
"comment spam".

This spam may contain e-commerce propaganda, to get a user to click a
URL to buy a product.

Whats more though is, A very evil and malicious user could use this
vulnerability for "phishing" purposes.

This spam may contain very evil and malicious content and URL to lure
an unsuspecting user into visiting a specified location, with, just
for instance, a fake Yahoo login page.

This spam/flood vulnerabilty offers many options on a number of
levels, for the malicious user to choose from.

A solution could be implemented, where a legitimate user is asked to
enter a word, to verify no bot is present.

Also, I believe from sources, that the Yahoo 360 network is vulnerable
from a  number of different types of DDoS attacks, generally. This is
unrelated specifically to the comment spam vulnerability I have
disclosed to you today.

So, anyway, Yahoo had the opportunity one month ago to patch this
problem. Yahoo security admins were aware. They obviously didn't pass
on the information to the Yahoo 360 team, therefore, they are
accountable for misconduct.

After realising this misconduct, I made a second advisory. This second
advisory was made to the Yahoo 360 team directly, via a newly
published blog. The address for the blog comment made on the Yahoo 360
team blog is http://blog.360.yahoo.com/blog-1qCkw2Ehaak.hdNZkEAzDrpa4Q--?p=2#comment
under the alias "n3td3v".

Thanks, n3td3v

http www geocities com n3td3v
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: