Bugtraq mailing list archives
Security flaws in Yahoo Mail
From: shandrew () LELAND STANFORD EDU (andrew shieh)
Date: Sun, 12 Oct 1997 21:45:13 -0700
Yahoo recently opened a free, web-based mail service at http://mail.yahoo.com/. I believe they purchased this from Four11 or Rocketmail. It has several security flaws in its POP server access. It has a capability to read external mail into your yahoo mail account via POP3. This works fine. However, the set up for the pop mail is flawed. It asks you for mail server, username, and password, and records this, so next time you login to your Yahoo mail account, the settings are retained. This worries me. The mail interface requires javascript. This worries me. The mail interface uses cookies with long expiration times to authenticate you. This worries me. The multiple major flaws are in the setup for external accounts. When you login to the yahoo account and check the settings for external accounts, the mail server, username, *and password*, are printed as default form values. Although the password is bulleted-out on screen, *it is sent twice in the html source*, thus can be easily viewed. This is completely unnecessary--the user should retype a password if settings are being changed. Additionally, since the web page sends no immediate expires: header, this page gets cached on disk (for a long period of time) by many web browsers. The Yahoo mail support pages seem to indicate that they are somewhat aware of some security issues, but this is not a difficult one to fix. If someone has access to your cookies or your cache, they can easily access the cleartext password of any external mail account you have set up on Yahoo. The Lesson: Never use Yahoo mail on a shared computer without clearing the cache and cookies afterwards. Never use it to access other pop accounts. -- Andrew Shieh
Current thread:
- Security flaws in Yahoo Mail andrew shieh (Oct 12)
- Re: Security flaws in Yahoo Mail Marc Slemko (Oct 13)
- Re: Security flaws in Yahoo Mail Andrew Brown (Oct 14)
- Re: Security flaws in Yahoo Mail Marc Slemko (Oct 13)