Full Disclosure mailing list archives
Re: n3td3v yahoo crap
From: "Mike M" <mkmaxx () gmail com>
Date: Sat, 5 Aug 2006 10:07:39 +0530
n3ntl3 wrote :
The same happens on Yahoo Messenger file share. If the client cannot connect peer to peer then the file being sent will be stored on the server as a temp file. The Yahoo system cannot verify that the file has been successfully downloaded by the intended party, so the file is left on the server, until Yahoo decides to expire the file. What folks were doing is linking the temp files to victims (via any chat or e-mail), the file extension could be anything, so the malicious file was being used in virus and phishing runs. The hacker would keep rotating the temp file storage system, everytime the file expired (which can be hours at a time, enough time to infect and phish your way through thousands of hosts), therefore you have continued storage of virus and phishing on the Yahoo servers, undetected. The Yahoo virus and phishing detection system trusts 'yahoo.com', so it isn't stored on their anti-spam url collection system, and even if it did, the unique temp file URL is changing every rotation, everytime the temp file expires, so the URL is always changing its character, so stayed trusted and stealth. This was being exploited by my connections three or so years ago, although, yahoo was contacted in private, I think it was treated as a non-issue. Lolz. Can someone check0r it out and tell me it can still be exploited today? :) I'll need to check0r it out too. Thats Yahoo for you. Sorry to poison a Gmail thread with this, but it just reminded me of what we exploit on Yahoo :) haw haw haw... keep hax0ring peeps. I grew up with the vulnerability in my teen years, it was so common place, no one thought to report it, but eventually I stopped using Yahoo Messenger temp file storage for when we blocked the peer to peer via our programs, but yeah, I forgot to check if they patched it. Many good lucks and researching....I expect someone with a formal advisory to be posting what i'm talking about in the coming daze....peace out for now my homies. Long live server side temp file storage on Yahoo, it rocks vxers socks. Shouts to henrit () yahoo-inc com who was the security engineer at the time I reported it to him, so the buck stops at him, I believe the buck should stop with someone in YAHOO, and should not get away with sloppy security. mis () seiden com is still off the hook for the Yahoo Finance defacement (which happened last weekend), so I guess henri gets off with the temp storage thingy too. These people are paid thousands of dollars a year to detect these easy holes before the bad guys. Time and time again, they get paid even if security incidents keep happening on their turf :) Reject their wage for each month theres a security incident on their turf and you can be sure they'll suddenly have all the holes reported and patched to security () yahoo-inc com, yahoo stop relying on free-lance security researchers to tell your thousands of dollars a year ethical hackers about bugs, and make your researchers wokr for their money. The rejected wage packet for that month should obviously goto the free-lance researcher who showed up the ethical hacker for not detecting the bug before them. That would solve Yahoo security problems once and for all. Yahoo security staff, take it for granted they'll ne given there wage regardless of what happens, that should change, to keep them on their toes and always worried if there getting paid that month. In the security industry, getting paid should be a earned not assumed. Security companies and corporations need to get tough with employees and security consultants, to make sure standards are kept in check, to garentee their working 110% to protect your network from attacks. I love you henri and mark, both do great work at yahoo, when you're not being hacked
Did your grammar teacher tell you about paragraphs?? Oh wait.. you were attending the dr@m@ classes.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: n3td3v yahoo crap Mike M (Aug 04)