Bugtraq mailing list archives
Re: Yahoo! Instant Messenger
From: "Michael S. Fischer" <michael () DYNAMINE NET>
Date: Mon, 15 Jan 2001 09:26:39 -0800
"Shaun O'Callaghan" <the_duke247 () YAHOO COM> writes:
This is performed to the many Yahoo! servers by a plain get request on the standard ports than YIM uses. As far as I am aware, this is affecting all clients on all operating systems. YIM passwords also are used for mail, calenders, bill paying, auction bidding (which hold CC numbers) well as other information including addresses on various users. I feel this is a very dangerous exploit and comes not long after I discovered the remote character buffer overflow vulnerability in a previous version, hope it was of some help.
The third statement of this paragraph is untrue -- Almost every transaction at Yahoo! involving money uses the Yahoo! wallet system, which uses a separate password from the one used by YIM and the other "standard" (non-financial) services. http://wallet.yahoo.com --Michael Michael S. Fischer <michael () dynamine net> AKA Otterley Lead Hacketeer, Dynamine Consulting, Silicon Valley, CA Phone: +1 650 533 4684 | AIM: IsThisOtterley | ICQ: 4218323 "From the bricks of shame is built the hope"--Alan Wilder
Current thread:
- Yahoo! Instant Messenger Shaun O'Callaghan (Jan 15)
- Re: Yahoo! Instant Messenger Michael S. Fischer (Jan 16)
- Re: Yahoo! Instant Messenger Matthew Keller (Jan 16)
- Re: Yahoo! Instant Messenger Bill Fumerola (Jan 17)
- Re: Yahoo! Instant Messenger Matthew Keller (Jan 16)
- <Possible follow-ups>
- Re: Yahoo! Instant Messenger Josh Higham (Jan 17)
- Re: Yahoo! Instant Messenger Michael S. Fischer (Jan 16)