[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-Disclosure] Yahoo! Spam Filter Vulnerability
From:       xploitable <xploitable () gmail ! com>
Date:       2004-09-30 2:35:26
Message-ID: 4b6ee93104092919357f0750c2 () mail ! gmail ! com
[Download RAW message or body]

> xploitable <xploitable@gmail.com> wrote:
> 
> Yahoo! Tuesday made public a preview of its coming new and improved homepage.
> 
> A link from Yahoo!s homepage takes you to
> http://www.yahoo.com/promos/learn.html, where users can learn more
> about the new and improved functionality.
> 
> On the learn.html page is a link
> http://promotions.yahoo.com/frontpage_04/ud/fp2_taf.html to invite
> friends or co-workers to view the New and Improved Homepage.
> 
> This feature allows anyone to spam the Yahoo! Mail servers. Consumer
> or Corporate mailboxes will be flooded with repeated invites, if a
> malicious users codes a simple program to do so.
> 
> All spammed invites do not goto the bulk folder as they should, they
> arrive on the inbox, as repeated invites.
> 
> This allows a malicious users to quickly bring Yahoo! Mail network to
> a crawl and fill up a victims storage space very, very quickly.
> 
> Yahoo! were notified of a similar vulnerability for its Yahoo! Mail
> spam filters earlier this year with regards of its invite feature, on
> the Yahoo! Messenger 6 IM client, it seems Yahoo! do not learn from
> past mistakes.
> 
> For this current vulnerability, the vendor has not been contacted.
> 
> Happy Yahoo! Mail flooding.
> 
> Discovered today by n3td3v
> 
> --
> http://www.geocities.com/n3td3v - Yahoo! Security Forum *Online*.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Yahoo! security professionals have now fixed this flaw in security. If
I had sent this to Yahoo!s security address from my personal past
experiences, this flaw would still be pending and possibly have taken
upto a week for Yahoo! security professionals to get round to
implementing a solution.

This is proof that indeed full-disclosure does work, even if its
considered evil to post information which script kiddies could act
upon to commit malicious activities on Yahoo!

I only made this full disclosure after trying over several months to
make contact with Yahoo! security professionals on other security
matters, without success.

This was more my way of testing my theory that Yahoo! security
professionals would infact raise the priority of a problem to be
fixed, if a public disclosure was made to a security community mailing
list, such as "Full-Disclosure".

I advise others to try and make contact with security professionals
first by using security@yahoo-inc.com, but if you fail to get any
common sense feedback from them, by all means, post flaws in security
to a public mailing list. This way you can be sure, the flaw will be
put to the top of Yahoo!s to-do-list agenda, before any other
technical vulnerability.

Hopefully someone at Yahoo! will learn something from this, but
probably not. They'll undoubtly keep treating everyone like shit.

-- 
http://www.geocities.com/n3td3v - Yahoo! Security Forum *Online*.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]