Re: [Full-Disclosure] Yahoo! Spam Filter Vulnerability

From: xploitable (xploitable_at_gmail.com)
Date: 09/30/04

  • Next message: Luigi Auriemma: "Crash in Alpha Black Zero 1.04" 
    To: full-disclosure@lists.netsys.com
Date: Thu, 30 Sep 2004 03:35:26 +0100

    > xploitable <xploitable@gmail.com> wrote:
    >
    > Yahoo! Tuesday made public a preview of its coming new and improved homepage.
    >
    > A link from Yahoo!s homepage takes you to
    > http://www.yahoo.com/promos/learn.html, where users can learn more
    > about the new and improved functionality.
    >
    > On the learn.html page is a link
    > http://promotions.yahoo.com/frontpage_04/ud/fp2_taf.html to invite
    > friends or co-workers to view the New and Improved Homepage.
    >
    > This feature allows anyone to spam the Yahoo! Mail servers. Consumer
    > or Corporate mailboxes will be flooded with repeated invites, if a
    > malicious users codes a simple program to do so.
    >
    > All spammed invites do not goto the bulk folder as they should, they
    > arrive on the inbox, as repeated invites.
    >
    > This allows a malicious users to quickly bring Yahoo! Mail network to
    > a crawl and fill up a victims storage space very, very quickly.
    >
    > Yahoo! were notified of a similar vulnerability for its Yahoo! Mail
    > spam filters earlier this year with regards of its invite feature, on
    > the Yahoo! Messenger 6 IM client, it seems Yahoo! do not learn from
    > past mistakes.
    >
    > For this current vulnerability, the vendor has not been contacted.
    >
    > Happy Yahoo! Mail flooding.
    >
    > Discovered today by n3td3v
    >
    > --
    > http://www.geocities.com/n3td3v - Yahoo! Security Forum *Online*.
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    Yahoo! security professionals have now fixed this flaw in security. If
    I had sent this to Yahoo!s security address from my personal past
    experiences, this flaw would still be pending and possibly have taken
    upto a week for Yahoo! security professionals to get round to
    implementing a solution.

    This is proof that indeed full-disclosure does work, even if its
    considered evil to post information which script kiddies could act
    upon to commit malicious activities on Yahoo!

    I only made this full disclosure after trying over several months to
    make contact with Yahoo! security professionals on other security
    matters, without success.

    This was more my way of testing my theory that Yahoo! security
    professionals would infact raise the priority of a problem to be
    fixed, if a public disclosure was made to a security community mailing
    list, such as "Full-Disclosure".

    I advise others to try and make contact with security professionals
    first by using security@yahoo-inc.com, but if you fail to get any
    common sense feedback from them, by all means, post flaws in security
    to a public mailing list. This way you can be sure, the flaw will be
    put to the top of Yahoo!s to-do-list agenda, before any other
    technical vulnerability.

    Hopefully someone at Yahoo! will learn something from this, but
    probably not. They'll undoubtly keep treating everyone like ***. 

    -- 
http://www.geocities.com/n3td3v - Yahoo! Security Forum *Online*.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Luigi Auriemma: "Crash in Alpha Black Zero 1.04"