[Dshield] seems like a flaw in a yahoo url

Andy Streule andy.streule at lythamhigh.lancs.sch.uk
Fri Apr 23 08:48:13 GMT 2004


I discovered this about 6 weeks ago. I should rephase that, I captured
someone doing something on my honeypot (kfsensor
[www.keyfocus.net/kfsensor/] which led me to discover this. 

At the time It looked like somone trying to take over yahoo accounts. they
were trying lots of different usernames but the same password. I dont know
if they were using yahoo messenger but the connections were to my socks
proxy. 
When i tried the url in my web browser, mozilla firefox, i discovered
something alarming.
I sent a msg about it to yahoo abuse but received nothing but the automated
reply back

the url is 

http://l4.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?.&login=&.tr
ies=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http:
//jpager.yahoo.com/jpager/pager2.shtml&login=myusername&passwd=password

substitute myusername for a  valid username.
if password is not the right password you get a grey page with a box in the
middle saying "hi username" and "Invalid Password"

if you put the right password in, i tried it with my own yahoo account, you
get a different page http://jpager.yahoo.com/jpager/pager2.shtml  At home
using mozilla firefox i got an error page, at work on firefox (just tried it
now) i get a page of html looks like it would launch yahoo messenger if i
had it installed. 

it seems to me that with somesort of script, wget, a list of anonymous
proxies and a big list of yahoo email addresses a person could write a
script to discover accounts that had generic passwords.  All you'd have to
do is see which page was returned to know whether the password was right or
wrong.  


this seems like a bad thing to me.



~Andy






============================================
"When you wake up in the morning, Pooh," said Piglet at last, "what's the
first thing you say to yourself?"
"What's for breakfast?" said Pooh. "What do you say, Piglet?"
" I say, I wonder what's going to happen exciting today?" said Piglet 
Pooh nodded thoughtfully.
"It's the same thing," he said. 



***************************************************************************
This e-mail is confidential and privileged.  If you are not the intended
recipient do not disclose, copy or distribute information in this e-mail
or take any action in reliance on its content.
***************************************************************************

***************************************************************************
This email has been checked for known viruses. 
***************************************************************************



More information about the list mailing list