Vulnerability Development mailing list archives

Re: Secure Yahoo logins

From: Chris Caydes <chris_caydes () yahoo com>
Date: Wed, 28 Aug 2002 09:53:18 -0700 (PDT)

Well, Alan seems to have the same kind of information
as me on this...
If it is confirmed that the newer versions of the
Yahoo Messenger protocol do not transmit the password
in plain text, then users should all upgrade their
Messenger and use the ymsg10 or ymsg9 protocol. This
should probably answer Jeremy's concerns.
Even then, it does not change a thing for the security
of the data transmitted after login, including screen
name, aliases, buddy list, and messages, but at least
the newer versions of Yahoo seem at a same level of
(in)security as the other major IM programs.

As far as I am concerned, I am not confident in
letting people use IM programs in a corporate
environment. 
I would much more confident with a corporate IM system
(with an internal IM server), that would eventually
include a gateway to external servers (Yahoo, MSN,
etc.) The architecture of Instant Messaging services
in a corporate environment would then be similar to
the architecture of e-mail : an internal e-mail server
with user accounts, and an e-mail gateway to the
Internet. This sounds much better than deploying POP3
clients and giving everyone in the company a Yahoo
Mail account, doesn't it ?
I have heard of a IM server for enterprises : "Akonix
L7". Has anyone successfully deployed this product ?
Any interesting experiences to share ?

Regards
Chris

A couple things -  one, yahoo DOES send the 
password in plain text, you just have to capture 
it at the right time,


That aint true the last time i was messing with 
yahoo protocols i learned alot for them there 
main ones are called ycht and ymsg and depending 
on what protocol you use when logging in it will 
then depend how the password is sent. On the 
ycht protocol your password will be sent in 
clear text in the login string i here there is 
plans for yahoo to stop using this protocol but 
ymsg it is alot more secure at first ymsg wasn't
to great and it had problems where people could 
authenticate there selfs as any user without 
there password for a good txt on ymsg9 you 
should read 
http://www.venkydude.com/articles/yahoo.htm 
yahoo is now at ymsg10 but it ant much changes 
from 9.
Regards
Alan


__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

Current thread:

Re: Secure Yahoo logins, (continued)
- - Re: Secure Yahoo logins David Schwartz (Aug 27)
- Re: Secure Yahoo logins John Madden (Aug 27)
  - Re: Secure Yahoo logins Roland Postle (Aug 28)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 27)
  - Re: Secure Yahoo logins David Thiel (Aug 27)
    - Re: Secure Yahoo logins Nick Jacobsen (Aug 28)
    - Re: Secure Yahoo logins David Thiel (Aug 28)
    - Re: Secure Yahoo logins Steve Bremer (Aug 28)
- Re: Secure Yahoo logins Alan McCaig (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- RE: Secure Yahoo logins Kayne Ian (Softlab) (Aug 29)
- Re: Secure Yahoo logins Muhammad Faisal Rauf Danka (Aug 29)