Full Disclosure mailing list archives
Re: Yahoo IM spoofing
From: n3td3v <xploitable () gmail com>
Date: Tue, 11 Jul 2006 13:15:46 +0100
On 7/11/06, James Lay <jlay () slave-tothe-box net> wrote:
Hey all! Just saw this today for the first time...someone actually spoofing IM's in yahoo chat. Is this a new exploit or did I miss something? Thank you. James _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
We stopped reporting instant message and voice chat exploits for Yahoo years ago. There are at least 40 holes I know of which I know about but is sitting on for a rainy day. Yahoo turned their back on instant message and voice chat security when they decided not to have anyone talk to the localized yahoo security community, to keep in touch with whats going on. Now Yahoo are playing a 'blind date' between Yahoo _and_ the localized yahoo security community. They get no early warnings for exploits, and often Yahoo are finding out about exploits weeks after they have been exploited on their production servers. It didn't used to be like that, often because Yahoo had people in the community, they were able to know about exploits before they reaches production servers. Because of the old early warning, incidents would only add upto 'hackers attacking hackers' with exploits, now because Yahoo are not finding out about exploits, the attacks are spreading out to exploit 'consumers' outside of the localized yahoo security community. This is because of a change in policy by Yahoo where they decided _not_ to be-friend hackers anymore, to get early warning reports of 0day. Which is confusing, because the system was working well, so much so, some folks at Yahoo core security team were unofficially entertaining the idea to pay folks to be informants per valid 0day reported to the be-friender(s). Yeah, thats how bad the situation right now. There are no be-frienders anymore, and backs are being turned by yahoo security team. The troubles for Yahoo aren't going away anytime soon, because the number of exploits are still there, just minus the intelligence they were getting from folks like n3td3v and friends in the underground, who had intimate relationships with employees over a wide period. Thats why theres more now on Yahoo leaking out to mailing lists and to the media, because folks have no other choice, theres no befrienders anymore, they are too busy protecting their job titles now, after things got nasty. It turns out those Yahoo befrienders got into n3td3v and the underground too deep, and they didn't know what the risks might be for their career and reputation, and it didn't help them, because even the befrienders have questionable security community backgrounds, so it was easy for n3td3v and others to put pressure on them, when Yahoo weren't meeting us half way. The biggest thing I managed to infulence them with was getting them to implement the security.yahoo.com web site to give consumers basic security information, another demand we made was that, a web link for Yahoo 'Guide to Online Security' was placed on at the footer of all major Yahoo property pages, in exchange for 0day. Theres other things we took advantage of these befrienders for, but in the end, the demands got too demanding, so they pulled out from talking to n3td3v and friends anymore. Now Yahoo public exploits are increasing, along with network wide attacks on mail, chat, instant message etc. Before Yahoo had it contained with their 'speical relationships' but as soon as they broke, so did communications, and 'meet us half way' agreements. Theres now a new meaning for '0day in the wild' between n3td3v and friends and Yahoo security team & befriender employees, because exploits really are out there now, and Yahoo aren't finding out until these exploits start affecting the global security situation on the internet, far outreaching Yahoo. Where big firms like Symantec and online media journalists are involved.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Yahoo IM spoofing James Lay (Jul 10)
- RE: Yahoo IM spoofing Patrick Nolan (Jul 10)
- Re: Yahoo IM spoofing Morning Wood (Jul 10)
- Re: Yahoo IM spoofing Eric Chien (Jul 11)
- Re: Yahoo IM spoofing Morning Wood (Jul 10)
- Re: Yahoo IM spoofing n3td3v (Jul 11)
- RE: Yahoo IM spoofing Patrick Nolan (Jul 10)