Vulnerability Development mailing list archives
Re: Secure Yahoo logins
From: "Nick Jacobsen" <nick () ethicsdesign com>
Date: Tue, 27 Aug 2002 20:36:40 -0700
A couple things - one, yahoo DOES send the password in plain text, you just have to capture it at the right time, and two, wether or not your users are logging in securely doesn't really matter, as it is REALLY easy to ARP poison, and then perform a man in the middle attack... you should try using ettercap instead of ethereal, to see this... ettercap supports full, automated ARP poisoning, as well as automating the mitm attack process... it supports SSH(Secure Telnet) and SSL(HTTPS) decryption and sniffing, as well as having a very well documented API for plugins... I guess my main point is that if you are having your users log in using "secure log in" for the express reason of making it so their password cannot be sniffed, it is pointless, as anyone can STILL sniff it! Nick J. Ethics Design nick () ethicsdesign com ethics () netzero net ----- Original Message ----- From: "Jeremy" <prrthd () myrealbox com> To: <vuln-dev () securityfocus com> Sent: Tuesday, August 27, 2002 3:10 PM Subject: Secure Yahoo logins Hello all, Recently, it has come to my attention that many of our users are using the standard login to access their yahoo accounts. I want to push a policy that requires them to use the secure login option instead. I would like to show my boss that you can capture the username and password by simply doing some sniffing. Well, to do a test I fired up ethereal and captured a session of me logging into a new yahoo account. What kind of suprised me is the password looks encrypted. My first guess was it was just base 64 mime encoded but that turned out to be wrong. Does anyone have any idea on how they encrypt their passwords or have any tools that will try and crack the passwords. My other question is if the passwords are encrypted why do they offer a secure login option? How does that increase security, other than adding a brief ssl session. Thanks, Jeremy
Current thread:
- Secure Yahoo logins Jeremy (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 27)
- Re: Secure Yahoo logins David Schwartz (Aug 27)
- Re: Secure Yahoo logins John Madden (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 28)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 27)
- Re: Secure Yahoo logins David Thiel (Aug 27)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 28)
- Re: Secure Yahoo logins David Thiel (Aug 28)
- Re: Secure Yahoo logins Steve Bremer (Aug 28)
- Re: Secure Yahoo logins David Thiel (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 27)
- <Possible follow-ups>
- Re: Secure Yahoo logins Alan McCaig (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- RE: Secure Yahoo logins Kayne Ian (Softlab) (Aug 29)
- Re: Secure Yahoo logins Muhammad Faisal Rauf Danka (Aug 29)