Full Disclosure mailing list archives
Yahoo Messenger. Yahoo Mail vulnerable
From: n3td3v <xploitable () gmail com>
Date: Wed, 2 Mar 2005 22:10:12 +0000
Yahoo today introduced a year 10 promotion to allow users to buy a free ice cream, and view propaganda on the last 10 years of Yahoo. The location http://birthday.yahoo.com/netrospective/ has e-mail to friend functionality. This e-mail to friend form offers no protection to Yahoo Messenger or Yahoo! Mail users. A very evil and malicious user can flood a Yahoo! Mail users inbox with non-stop e-mail messages. Repeated messages usually goto the bulk folder automatically. This mail to friend funtion at http://mtf.news.yahoo.com/mailto?url=http%3A%2F%2Fbirthday.yahoo.com%2Fnetrospective%2F&title=Yahoo!+Happy+10th+Birthday&prop=birthday&locale=us by-passes all Yahoo mail spam filters. Whats more is, if the victim is a kean user of the Yahoo! Messenger service, you can bomb the victim with non-stop dialog popup boxes notifying you of new mail, because the spamed messages all goto the inbox, where the Yahoo! Messenger mail notifier keeps an eye on. On a wider pciture of things, a very evil and malicious user can slow down Yahoo's mail hardware by using your harvested e-mail addresses you've been using for phishing on Yahoo! Mail network. Yahoo! corporate mail is also effected by this spam vulnerability. A very evil and malicious user can bring Yahoo's internal mail system to a crawl, with your bot net, you were using to make money from mareters who were paying you to spam inboxes with under normal money manking circumstances. Thanks for your time security community n3td3v once again shows up Yahoo's bad security management. Heres to another ten years!!! This is my security list, its better than FD!! ;-) http://groups-beta.google.com/group/n3td3v My last advisory was the Google Groups script injection vulnerability. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Yahoo Messenger. Yahoo Mail vulnerable n3td3v (Mar 02)