Re: Re:multi billion dollar corporation hasnt blah blah

["Jeb Bush" <xploitable () gmail com>]

On 8/28/06, Jeb Osama <mkmaxx () gmail com> wrote:
> > From: "Jeb Bush" <xploitable () gmail com >
> > Subject: [Full-disclosure] Fwd: multi billion dollar corporation hasnt
> >         fixed   its privacy flaw yet
> >
> > ---------- Forwarded message ----------
> > From: Jeb Bush < xploitable () gmail com>
> > Date: Aug 26, 2006 11:20 PM
> > Subject: multi billion dollar corporation hasnt fixed its privacy flaw yet
> > To: security () yahoo-inc com
> >
> >
> > if you agree to add each other as a friend on yahoo messager
> >
> > and one user decides to ignore you
> >
> > the malicious user who was ignored only needs to create a secondary
> > yahoo id on the same account to see the persons online status
> >
> > regards
> >
> > -Jeb
> >
> >
>
> Were you always shunned by your kind??
>
> Regards
> Jeb

This is an old flaw thats been left for years by the Yahoo security team.

There is history behind it.

The flaw has been used countless times to launch attacks against Yahoo
employees.

The flaw allows you to read the victim's status message.

This means telephone numbers.... etc.... whatever the victim adds to
their status message is disclosed.

In short, you can read your victims ignore list. This is very useful
to launch attacks with.

Usually when the victim removes you from their list and adds you to
their ignore list, their online status goes offline forever.

However, if attacker goes to
http://manage.members.yahoo.com/index_listprofiles.html and create a
secondry yahoo i.d on the same account and the attacker logs back into
yahoo messenger on the new second yahoo i.d on the same account, then
everyone who ignored you reappears as online with telephone numbers,
corporate links....corporate info thats in the employees status
message.

you can use this to

detect all your yahoo i.d's a person has ignore

read someones status message with confidential info

phish and socially engineer a victim (based on info in their status
message, pretend to be a someone on their legitimate list of friends
etc)

use in conjunction with a bigger attack launched against yahoo
employees and yahoo dot com (or any other company)

basically....

once a yahoo user agrees to add you as a friend on yahoo messenger,
you are basically agreeing for life, with this flaw. even though the
current yahoo messenger ignore is ment to protect your status message
info and privacy, it doesn't

this has been vulnerable for years and years

yahoo are well aware of it

the cause of the flaw is because yahoo doesn't remove yahoo i.d's from
both friends list

the victims i.d stays on the attackers list forever... all it takes is
a secondary yahoo i.d to be created by the attacker, from the original
yahoo i.d the victim agreed to add to their friends list all those
years ago.

theres a lot of folks i have on my list who thought they had ignored
me years ago, but to this day i.ve been reading all the info and web
links they've been putting in their yahoo messenger status!

if you think this flaw isn't serious, you haven't heard the half of
the security incidents that occur because of it.

It is good as well for a yahoo messenger worm, because the attacker
knows which of his yahoo i.d's are ignored, so can create new ones
which he knows will reach the victims i.m box.

the victim never finds out at any stage whats going on, as far as the
victim knows, the attacker is gone, and the victim thinks they know
who can see the status message .eg...friends...not enemies.

don't play with me and my intelligence Mike M you know its a threat
and if i'm telling you about it then you know it can be used to hack
yahoo employees

-Jeb

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/