Vulnerability Development mailing list archives
Re: Secure Yahoo logins
From: "Roland Postle" <mail () blazde co uk>
Date: Wed, 28 Aug 2002 05:43:03 +0100
I remember trying that here using arpspoof and dsniff. It captured the URL that was being used. From what I remember, the password was MD5 encrypted, and it said so in the URL. But, that said, there's no need to decrypt the password. Just paste that URL into your browser and it'll bring you directly into the persons yahoo email account.
In theory, the nonce is supposed to be use-once to prevent replay attacks like this. Typically it might also have encoded in it the IP address and some time after which it's invalid. So even if you could capture a hash that hadn't been used you'd have to spoof the persons IP address, and fairly quickly. Unfortunately none of this seems to be true, you /can/ indeed copy and paste the URL. You can do it from any IP address, and you can do it whether the person is logged in or not/has used that nonce or not. I've just noticed one of my old skool mates \o/ coded the MD5 implementation so I'll see if he knows anything about why the login procedure's a bit lame. However, it's all a little irrelevant because you can capture the session cookie on it's way back from the server after the login (if you logged in via SSL I presume this wouldn't be so). And it's all even more irrelevant if what Nick says is true, the password is sent in plaintext at some point. I'd be interested to see when and why. - Blazde
Current thread:
- Secure Yahoo logins Jeremy (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 27)
- Re: Secure Yahoo logins David Schwartz (Aug 27)
- Re: Secure Yahoo logins John Madden (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 28)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 27)
- Re: Secure Yahoo logins David Thiel (Aug 27)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 28)
- Re: Secure Yahoo logins David Thiel (Aug 28)
- Re: Secure Yahoo logins Steve Bremer (Aug 28)
- Re: Secure Yahoo logins David Thiel (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 27)
- <Possible follow-ups>
- Re: Secure Yahoo logins Alan McCaig (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- RE: Secure Yahoo logins Kayne Ian (Softlab) (Aug 29)
- Re: Secure Yahoo logins Muhammad Faisal Rauf Danka (Aug 29)