Re: Secure Yahoo logins

["Nick Jacobsen" <nick () ethicsdesign com>]

A couple things -  one, yahoo DOES send the password in plain text, you just
have to capture it at the right time, and two, wether or not your users are
logging in securely doesn't really matter, as it is REALLY easy to ARP
poison, and then perform a man in the middle attack...  you should try using
ettercap instead of ethereal, to see this...  ettercap supports full,
automated ARP poisoning, as well as automating the mitm attack process...
it supports SSH(Secure Telnet) and SSL(HTTPS) decryption and sniffing, as
well as having a very well documented API for plugins...

I guess my main point is that if you are having your users log in using
"secure log in" for the express reason of making it so their password cannot
be sniffed, it is pointless, as anyone can STILL sniff it!

Nick J.
Ethics Design
nick () ethicsdesign com
ethics () netzero net



----- Original Message -----
From: "Jeremy" <prrthd () myrealbox com>
To: <vuln-dev () securityfocus com>
Sent: Tuesday, August 27, 2002 3:10 PM
Subject: Secure Yahoo logins


Hello all,

  Recently, it has come to my attention that many of our users are using the
standard login to access their yahoo accounts. I want to push a policy that
requires them to use the secure login option instead. I would like to show
my boss that you can capture the username and password by simply doing some
sniffing.
  Well, to do a test I fired up ethereal and captured a session of me
logging into a new yahoo account. What kind of suprised me is the password
looks encrypted. My first guess was it was just base 64 mime encoded but
that turned out to be wrong. Does anyone have any idea on how they encrypt
their passwords or have any tools that will try and crack the passwords.
  My other question is if the passwords are encrypted why do they offer a
secure login option? How does that increase security, other than adding a
brief ssl session.

Thanks,
  Jeremy