[Dshield] Here's a new one...possible Yahoo exploit?

Pete Cap peteoutside at yahoo.com
Wed Apr 14 00:28:32 GMT 2004


Just recieved the following in my Yahoo! Bulk Mail folder.
 
>From: kka at kidagin.com
>To: peteoutside at yahoo.com 
>Subject: Mail Delivery (failure peteoutside at yahoo.com) 
>Date: Mon, 12 Apr 2004 06:02:18 -0400 
>
>If the message will not displayed automatically,
>follow the link to read the delivered message.
>
>Received message is available at:
>www.yahoo.com/inbox/peteoutside/read.php?sessionid-9853
 
Yahoo renders the url thus:
http://us.f601.mail.yahoo.com/ym/us/ShowLetter?box=%40B%40Bulk&MsgId=4138_2453092_370_973_30618_0_10662_41372_94775594&bodyPart=2&YY=79747&order=down&sort=date&pos=0&view=a&head=b
 
I'm pretty sure ShowLetter is a JavaScript used to display messages and attachments.

The url appears to be nonstandard...the trailing "/us/" after the yahoo.com doesn't appear in any of the legitimate links in my mailbox.
 
This is obviously nonstandard, probably malicious...but I have to wonder how it's supposed to work (no, I haven't followed the link yet).  Browser exploit of some kind?  Did someone perhaps compromise Yahoo?  Is it a vulnerability in they way they allow access to mailboxes? (ie, could I in effect read someone else's mail?)
 
I have just forwarded this to Yahoo's security nebbishes but wanted to tip the list off as well.
 
Any ideas?
Regards,
 
Pete

		
---------------------------------
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th


More information about the list mailing list