Re: Secure Yahoo logins

From: Roland Postle (mail@blazde.co.uk)
Date: 08/28/02

Previous message: David Thiel: "Re: Secure Yahoo logins"
In reply to: John Madden: "Re: Secure Yahoo logins"
Next in thread: Nick Jacobsen: "Re: Secure Yahoo logins"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Roland Postle" <mail@blazde.co.uk>
To: "vuln-dev@securityfocus.com" <vuln-dev@securityfocus.com>
Date: Wed, 28 Aug 2002 05:43:03 +0100

>I remember trying that here using arpspoof and dsniff. It captured the
>URL that was being used. From what I remember, the password was MD5
>encrypted, and it said so in the URL. But, that said, there's no need to
>decrypt the password. Just paste that URL into your browser and it'll
>bring you directly into the persons yahoo email account.

In theory, the nonce is supposed to be use-once to prevent replay
attacks like this. Typically it might also have encoded in it the IP
address and some time after which it's invalid. So even if you could
capture a hash that hadn't been used you'd have to spoof the persons IP
address, and fairly quickly. Unfortunately none of this seems to be
true, you /can/ indeed copy and paste the URL. You can do it from any
IP address, and you can do it whether the person is logged in or
not/has used that nonce or not.

I've just noticed one of my old skool mates \o/ coded the MD5
implementation so I'll see if he knows anything about why the login
procedure's a bit lame.

However, it's all a little irrelevant because you can capture the
session cookie on it's way back from the server after the login (if you
logged in via SSL I presume this wouldn't be so). And it's all even
more irrelevant if what Nick says is true, the password is sent in
plaintext at some point. I'd be interested to see when and why.

- Blazde

Previous message: David Thiel: "Re: Secure Yahoo logins"
In reply to: John Madden: "Re: Secure Yahoo logins"
Next in thread: Nick Jacobsen: "Re: Secure Yahoo logins"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Capturing WindowsXP login with Print screen
... I have capture a screen image many times before I ... still can't capture the login by doing what you suggested. ... > screen key, unlock station, paste into any program that accepts graphics. ...
(microsoft.public.windowsxp.general)
Re: Windows versus Application Security
... Actually the only purpose of this is to capture who does what in the ... We most likely will continue to use their built in windows identity to ... login as Willy Wonka and that identity must be passed around for the purpose ...
(microsoft.public.dotnet.framework.windowsforms)
Re: Submitting data to HTTPS javascript
... The login page is simple, a few pictures and two text bars. ... Open the plugin in one window and the website in another ... Disable "capture" in livehttpheaders ... Don't forget that most sites will also need cookies - you have to extract and send back cookies as needed ...
(comp.lang.python)
check for login attempts
... If the user had log in with correct user id but wrong password, ... would like to capture the time when the user fail to login for the 1st ...
(microsoft.public.inetserver.asp.general)
Re: Local and roaming profiles
... with a slow login. ... "Rickard" wrote: ... > I think you need to capture the login to see whats wrong. ... >>I installed the UPHClean tool and rebooted the server. ...
(microsoft.public.windows.terminal_services)