Re: Secure Yahoo logins

["Roland Postle" <mail () blazde co uk>]

> I remember trying that here using arpspoof and dsniff. It captured the
> URL that was being used. From what I remember, the password was MD5
> encrypted, and it said so in the URL. But, that said, there's no need to
> decrypt the password. Just paste that URL into your browser and it'll
> bring you directly into the persons yahoo email account.

In theory, the nonce is supposed to be use-once to prevent replay
attacks like this. Typically it might also have encoded in it the IP
address and some time after which it's invalid. So even if you could
capture a hash that hadn't been used you'd have to spoof the persons IP
address, and fairly quickly. Unfortunately none of this seems to be
true, you /can/ indeed copy and paste the URL. You can do it from any
IP address, and you can do it whether the person is logged in or
not/has used that nonce or not.

I've just noticed one of my old skool mates \o/ coded the MD5
implementation so I'll see if he knows anything about why the login
procedure's a bit lame.

However, it's all a little irrelevant because you can capture the
session cookie on it's way back from the server after the login (if you
logged in via SSL I presume this wouldn't be so). And it's all even
more irrelevant if what Nick says is true, the password is sent in
plaintext at some point. I'd be interested to see when and why.

- Blazde