Full Disclosure mailing list archives
Re: [Argeniss] Alert - Yahoo! Webmail XSS
From: "Dave \"No, not that one\" Korn" <davek_throwaway () hotmail com>
Date: Tue, 18 Apr 2006 14:23:06 +0100
Morning Wood wrote:
reflecting on this... the offending url you give is http://w00tynetwork.com/x/ which contains a fake yahoo login ( for webmail ) (( and other exploits embedded within the site )) you state this is a Yahoo Email vulnerability. stop me if im wrong... why would anyone be vulnerable to a Yahoo login redirect phish, if in fact they are already logged in to read the mail in the first place.
Dunno about anyone else, but I have occasionally found that Yahoo has a bad habit of forgetting I'm authenticated and continually requiring me to relogin even in one continuous session.
i can appriciate the possibility of XSS within the Yahoo webmail interface, just not with this particular redirect code ( or site url ) you provide. XSS could be more effectivly used to leverage a browser exploit, rather than ( trying to ) steal your credentals ala phishing
Well, maybe they were hoping to be able to read his mail stealthily later on, while he wasn't logged in? If you want to steal the entire contents of someones mailbox, you don't really want to use an XSS to automatically forward all the mail to somewhere you can get it, since that amount of scripting would likely take a noticeable amount of time and transactions with yahoo's servers to run and the slow responsiveness of the browser might give a clue that something was going on; a better way is just to get their password and then login sometime when they're not online or perhaps use the pw with POP/IMAP to snarf down the entire lot. Or perhaps they were hoping that he uses the same pw in lots of places? cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Argeniss] Alert - Yahoo! Webmail XSS Cesar (Apr 17)
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Morning Wood (Apr 17)
- Message not available
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Response Team (Apr 17)
- Message not available
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Morning Wood (Apr 17)
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Morning Wood (Apr 17)
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Dave "No, not that one" Korn (Apr 18)
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Cesar (Apr 18)
- Re[2]: [Argeniss] Alert - Yahoo! Webmail XSS Thierry Zoller (Apr 18)
- Re: Re[2]: [Argeniss] Alert - Yahoo! Webmail XSS Cesar (Apr 18)
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Morning Wood (Apr 18)
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Neil Davis (Apr 18)
- Re[2]: [Argeniss] Alert - Yahoo! Webmail XSS Thierry Zoller (Apr 18)