Full Disclosure mailing list archives
Re: Yahoo! Spam Filter Vulnerability
From: xploitable <xploitable () gmail com>
Date: Thu, 30 Sep 2004 03:35:26 +0100
xploitable <xploitable () gmail com> wrote: Yahoo! Tuesday made public a preview of its coming new and improved homepage. A link from Yahoo!s homepage takes you to http://www.yahoo.com/promos/learn.html, where users can learn more about the new and improved functionality. On the learn.html page is a link http://promotions.yahoo.com/frontpage_04/ud/fp2_taf.html to invite friends or co-workers to view the New and Improved Homepage. This feature allows anyone to spam the Yahoo! Mail servers. Consumer or Corporate mailboxes will be flooded with repeated invites, if a malicious users codes a simple program to do so. All spammed invites do not goto the bulk folder as they should, they arrive on the inbox, as repeated invites. This allows a malicious users to quickly bring Yahoo! Mail network to a crawl and fill up a victims storage space very, very quickly. Yahoo! were notified of a similar vulnerability for its Yahoo! Mail spam filters earlier this year with regards of its invite feature, on the Yahoo! Messenger 6 IM client, it seems Yahoo! do not learn from past mistakes. For this current vulnerability, the vendor has not been contacted. Happy Yahoo! Mail flooding. Discovered today by n3td3v -- http://www.geocities.com/n3td3v - Yahoo! Security Forum *Online*. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Yahoo! security professionals have now fixed this flaw in security. If I had sent this to Yahoo!s security address from my personal past experiences, this flaw would still be pending and possibly have taken upto a week for Yahoo! security professionals to get round to implementing a solution. This is proof that indeed full-disclosure does work, even if its considered evil to post information which script kiddies could act upon to commit malicious activities on Yahoo! I only made this full disclosure after trying over several months to make contact with Yahoo! security professionals on other security matters, without success. This was more my way of testing my theory that Yahoo! security professionals would infact raise the priority of a problem to be fixed, if a public disclosure was made to a security community mailing list, such as "Full-Disclosure". I advise others to try and make contact with security professionals first by using security () yahoo-inc com, but if you fail to get any common sense feedback from them, by all means, post flaws in security to a public mailing list. This way you can be sure, the flaw will be put to the top of Yahoo!s to-do-list agenda, before any other technical vulnerability. Hopefully someone at Yahoo! will learn something from this, but probably not. They'll undoubtly keep treating everyone like shit. -- http://www.geocities.com/n3td3v - Yahoo! Security Forum *Online*. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Yahoo! Spam Filter Vulnerability xploitable (Sep 28)
- Message not available
- Message not available
- Re: Yahoo! Spam Filter Vulnerability xploitable (Sep 29)
- Message not available
- Message not available