Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Yahoo/Geocities possible exploit/vulnerability

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 15 Aug 2006 19:18:11 +1200
Jain, Siddhartha wrote:


The phishing apart, how can a userid be spoofed on Yahoo Messenger? Is
this something trivial? I thought Yahoo fixed the issue with Y!Messenger
5.0.


Ummmm -- unless I'm missing something here (and as I've already said 
I'm NOT a YIM expert), in any system (like YIM) that only does user 
identification through a username-and-password-style login, if someone 
knows your username and password, then that someone _is_ you as far as 
said system is concerned.  Of course, the phishers (or their bots) 
behind this scam are not really you, but YIM doesn't know that, so to 
YIM there is no spoofing -- when the phisher/bot did a YIM login with 
your credentials, as far as YIM was concerned, _you_ were logging in...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: