[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Yahoo! Mail Username Information Disclosure Vulnerability

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Yahoo! Mail Username Information Disclosure Vulnerability
From: "Sowhat ." <smaillist@xxxxxxxxxxx>
Date: Tue, 24 May 2005 06:47:01 +0000

Yahoo! Mail Username Information Disclosure Vulnerability

By Sowhat
2005.05.23
http://secway.org/advisory/ad20050523.txt

Vendor

Yahoo! Inc.


OverView:

Yahoo! Mail (http://mail.yahoo.com) is one of the Web's largest, most popular free email providers.Yahoo! Mail helps people stay in touch at home, at work or while traveling for business or pleasure. Yahoo! Mail is fully integrated with Yahoo!’s many other popular services to make it easy to access all the Internet services people need.

Yahoo! Mail has received a variety of prominent industry accolades including “Best Free E-Mail” for three years by PC World, and CNET Editors’ Choice awards.


Details:

There is a Design flaw in the Yahoo! Email will Disclosure Username Information to the attacker and thus can be used to harvest all the EMAIL Address @yahoo.com,and can be used to spam the user or crack the password in some reverse way.

The vulnerability specificlly exist in the following page:
SBC Yahoo!
http://login.yahoo.com/config/login?.partner=sbc&.done=http%3a//sbc.yahoo.com/

( Note that http://mail.yahoo.com is not vulnerable :)

This login page will responding with different messages with regards to the validity of an entered username. For example , If you enter a username which doesnt exist, "SowhatS0what",with any password,it will return:"This Yahoo! ID does not exist. Are you trying to sign up as SowhatS0what".

If you enter a valid username such as "Sowhat" with wrong password such as "secway.org", It will return "Invalid Password ".

And also, it seems that They didnt limit the times you can try to login as different users,So,it's fairly easy to write a script to automatically harvest all the valid username (The Email Address).

Maybe This will be a bad news to the Yahoo! user, since maybe they will recieve more "interesting" Emails. And Also, the attacker can do something else such as brute force the password in reverse way. For example,harvest enough valid username,then brute force whose password is "passw0rd"

Vendor Response:

I had dropped a mail to security@xxxxxxxxxxxxx in 2005-05-17 ,But no response yet,Maybe they think that Yahoo! Mail have a good Spam filter :) So finally I decide to release it.

It is not fixed until I send this Advisory

#btw: I have tried to post this msg to FD from Gmail many many times BUT failed, does anyone else suffer this ?

_________________________________________________________________ 享用世界上最大的电子邮件系统― MSN Hotmail。 http://www.hotmail.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Re: Defeating Microsoft WGA Validation Check
Next by Date: Re: [Full-disclosure] Re: Defeating Microsoft WGA Validation Check
Previous by thread: Re: [Full-disclosure] Re: Defeating Microsoft WGA Validation Check
Next by thread: [Full-disclosure] Not even the NSA can get it right
Index(es):
- Date
- Thread