Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Yahoo Pager auto-update

From: jay () NDI NET (Jay)
Date: Mon, 10 Aug 1998 18:18:45 -0400

Sergiy Zhuk wrote:


hi

On Mon, 10 Aug 1998, Texan Hawk wrote:


most likely have been to rootshell in the past while, but in case you havn't
there was a program that would let you use the yahoo pager under anyone's
account you chose.  It appears as if yahoo's pager gets he pw from the client
side and not the server itself.  thusly if you load up this program it will log
you i as anyone.  You can't do anything except send instant messages, but if


message from the developer:

this is our top priority to fix.  We've known about this for a little
while and should release a version this week which does checking both on
the client and server side for login/password

brian

BTW, is that a rule for Bugtraq posters and moderator to *not*
inform developers about security bugs before posting them here ?
It looks like it is now...


This isn't a bug it's a design flaw.

I believe there's a difference, no? The developers must have been
perfectly
aware that authentication only happens on the client side, how could
they not
have been?

How could that have 'accidentally' happened?

Users have the right to know these things about the products and
services they
use, don't you think so?

What you've quoted tells me that the developers were already well aware
of the consequences of their poor implementation anyway.

--
+--------------------------+
| Jay Barnes | jay () ndi net |
+--------------------------+
Previous By Date Next
Previous By Thread Next

Current thread: