[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] ITTS012008 - YAHOO WEB MAIL URL REDIR

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] ITTS012008 - YAHOO WEB MAIL URL REDIR
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Sun, 21 Sep 2008 17:33:00 +1200

Martin Fallon wrote:

<<big snip>>
> 
>  VI - CRONOLOGY
> ----------------
> 
> 09/09/2008 - Vulnerability Discovered.
> 09/10/2008 - Attempt to contact yahoo - no success.
> 09/11/2008 - Attempt to contact yahoo - no success.
> 09/15/2008 - Attempt to contact yahoo - no success.
> 09/20/2008 - Advisore Published.

Sometimes I wonder why we bother...

This has been used in the past (and maybe even to phish Yahoo -- not sure 
now).

Several times.

And reported thusly.

Maybe Yahoo just doesn't care?  They fixed this same redirector issue on 
other Yahoo sub-domains, but missed (or chose not to fix it on) the 
"login" sub-domain.

The gibbons in their web dev teams must be seriously underpaid, or just 
don't care.

The Yahoo! security wonks who got this fixed on the other sub-domains 
back in February will be a tad pissed at the gibbons for missing this 
instance though, I suspect...

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] ITTS012008 - YAHOO WEB MAIL URL REDIR
  - From: Martin Fallon

Prev by Date: Re: [Full-disclosure] Social flaws / vulnerabilities in 'Last account activity' on Gmail
Next by Date: [Full-disclosure] 0day services
Previous by thread: [Full-disclosure] ITTS012008 - YAHOO WEB MAIL URL REDIR
Next by thread: [Full-disclosure] Kaspersky Lab Online Activation Center remote brute force vulnerability
Index(es):
- Date
- Thread