Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Yahoo! Spam Filter Vulnerability

from [xploitable] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Yahoo! Spam Filter Vulnerability
Date: Thu, 30 Sep 2004 03:35:26 +0100 
xploitable <xploitable@gmail.com> wrote:

Yahoo! Tuesday made public a preview of its coming new and improved homepage.

A link from Yahoo!s homepage takes you to
http://www.yahoo.com/promos/learn.html, where users can learn more
about the new and improved functionality.

On the learn.html page is a link
http://promotions.yahoo.com/frontpage_04/ud/fp2_taf.html to invite
friends or co-workers to view the New and Improved Homepage.

This feature allows anyone to spam the Yahoo! Mail servers. Consumer
or Corporate mailboxes will be flooded with repeated invites, if a
malicious users codes a simple program to do so.

All spammed invites do not goto the bulk folder as they should, they
arrive on the inbox, as repeated invites.

This allows a malicious users to quickly bring Yahoo! Mail network to
a crawl and fill up a victims storage space very, very quickly.

Yahoo! were notified of a similar vulnerability for its Yahoo! Mail
spam filters earlier this year with regards of its invite feature, on
the Yahoo! Messenger 6 IM client, it seems Yahoo! do not learn from
past mistakes.

For this current vulnerability, the vendor has not been contacted.

Happy Yahoo! Mail flooding.

Discovered today by n3td3v

--
http://www.geocities.com/n3td3v - Yahoo! Security Forum *Online*.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Yahoo! security professionals have now fixed this flaw in security. If
I had sent this to Yahoo!s security address from my personal past
experiences, this flaw would still be pending and possibly have taken
upto a week for Yahoo! security professionals to get round to
implementing a solution.

This is proof that indeed full-disclosure does work, even if its
considered evil to post information which script kiddies could act
upon to commit malicious activities on Yahoo!

I only made this full disclosure after trying over several months to
make contact with Yahoo! security professionals on other security
matters, without success.

This was more my way of testing my theory that Yahoo! security
professionals would infact raise the priority of a problem to be
fixed, if a public disclosure was made to a security community mailing
list, such as "Full-Disclosure".

I advise others to try and make contact with security professionals
first by using security@yahoo-inc.com, but if you fail to get any
common sense feedback from them, by all means, post flaws in security
to a public mailing list. This way you can be sure, the flaw will be
put to the top of Yahoo!s to-do-list agenda, before any other
technical vulnerability.

Hopefully someone at Yahoo! will learn something from this, but
probably not. They'll undoubtly keep treating everyone like shit.

-- 
http://www.geocities.com/n3td3v - Yahoo! Security Forum *Online*.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] Re: Resources for exploit coding on Solaris, Great Garbanzo
Next by Date:  Crash in Alpha Black Zero 1.04, Luigi Auriemma
Previous by Thread:  [Full-Disclosure] Yahoo! Spam Filter Vulnerability, xploitable
Next by Thread:  [Full-Disclosure] JPEG GDI, str0ke
Indexes:  [Date] [Thread] [Top] [All Lists]