Re: [Argeniss] Alert - Yahoo! Webmail XSS

["Dave \"No, not that one\" Korn" <davek_throwaway () hotmail com>]

Morning Wood wrote:
> reflecting on this...
>
> the offending url you give is http://w00tynetwork.com/x/
> which contains a fake yahoo login ( for webmail )
> (( and other exploits embedded within the site ))
>
>
> you state this is a Yahoo Email vulnerability.
>
> stop me if im wrong...
> why would anyone be vulnerable to a Yahoo login redirect phish, if in
> fact they are already logged in to read the mail in the first place.

  Dunno about anyone else, but I have occasionally found that Yahoo has a 
bad habit of forgetting I'm authenticated and continually requiring me to 
relogin even in one continuous session.

> i can appriciate the possibility of XSS within the Yahoo webmail
> interface, just not
> with this particular redirect code ( or site url ) you provide.
>
> XSS could be more effectivly used to leverage a browser exploit,
> rather than ( trying to )
> steal your credentals ala phishing

  Well, maybe they were hoping to be able to read his mail stealthily later 
on, while he wasn't logged in?  If you want to steal the entire contents of 
someones mailbox, you don't really want to use an XSS to automatically 
forward all the mail to somewhere you can get it, since that amount of 
scripting would likely take a noticeable amount of time and transactions 
with yahoo's servers to run and the slow responsiveness of the browser might 
give a clue that something was going on; a better way is just to get their 
password and then login sometime when they're not online or perhaps use the 
pw with POP/IMAP to snarf down the entire lot.

  Or perhaps they were hoping that he uses the same pw in lots of places?


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/