Vulnerability Development mailing list archives
Re: Secure Yahoo logins
From: Chris Caydes <chris_caydes () yahoo com>
Date: Wed, 28 Aug 2002 08:48:53 -0700 (PDT)
Hello, I keep hearing and reading about Yahoo Messenger as the least secure IM software, because the passwords are transmitted in plaintext. Yet Yahoo has changed the login process in their Messenger several months ago, and I don't know if the critics about Y!Msg transmitting clear text passwords applies to the current versions of the product, or only the old ones. Or do they apply only if one tries to connect to Yahoo through an HTTP proxy ? or a SOCKS proxy ? I did some quick testing using "direct" connections (no proxies). I sniffed my own Yahoo login with both Ethereal and Ettercap, and couldn't collect the password. The login name however, as well as all the aliases and the entire buddy list, were sniffed as they are transmitted in clear text. I could easily read all that information in Ethereal. Both Ethereal and Ettercap claim to decode the Yahoo protocol, but neither actually did. What I saw were "raw TCP packets" :-) I did the same test with ICQ and I collected the password easily using Ettercap. I believe Yahoo has made some changes in their IM protocol a few months ago, and the sniffers only decode the previous version of the protocol. I came across the following document on the web, which explains some of the Yahoo Protocol. http://www.venkydude.com/articles/yahoo.htm Regards Chris __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com
Current thread:
- Re: Secure Yahoo logins, (continued)
- Re: Secure Yahoo logins Roland Postle (Aug 27)
- Re: Secure Yahoo logins David Schwartz (Aug 27)
- Re: Secure Yahoo logins John Madden (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 28)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 27)
- Re: Secure Yahoo logins David Thiel (Aug 27)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 28)
- Re: Secure Yahoo logins David Thiel (Aug 28)
- Re: Secure Yahoo logins Steve Bremer (Aug 28)
- Re: Secure Yahoo logins David Thiel (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 27)
- Re: Secure Yahoo logins Alan McCaig (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- RE: Secure Yahoo logins Kayne Ian (Softlab) (Aug 29)
- Re: Secure Yahoo logins Muhammad Faisal Rauf Danka (Aug 29)