Full Disclosure mailing list archives
My Yahoo! Search Spam Vulnerability
From: xploitable <xploitable () gmail com>
Date: Wed, 6 Oct 2004 02:27:18 +0100
Yahoo! Tuesday released a new service dubbed as My Yahoo! Search http://mysearch.yahoo.com. This allows users to search, save and share web links they like, while using Yahoo! Search, with friends and co-workers. Problem: My Yahoo! Search allows users to archive saved web links. You can send any web link to any e-mail address on the web using at the location http://mysearch.yahoo.com/myresults/handler. This allows a malicious user to spam Yahoo! Mail network with any link and message a malicious user chooses. The mail will go straight to a consumers inbox, instead of bulk folder. This allows a malicious user to very quickly use up consumers storage space (100MB). Also malicious users can use this to send junk links, pr0n or other malicious links, for further exploration, although this is a seperate issue from the spam vulnerability. A malicious user as you may imagine is also able to attack Yahoo! mail servers via the mailer, in a possible coordinated attack using a zombie network. Also can make money from free link/website advertising via the My Yahoo! Search link mailer. The new service My Yahoo! Search in my opinion raises security questions and how marketing companies will use this as a spam tool, with or without the inbox vulnerability, which i have disclosed to you today. Yahoo! the vendor has not been contacted, as its beyond a joke now. Three similar vulnerabilities have been found this year. Yahoo! security team fail to review new Yahoo! projects before they go live on any Yahoo! property. Yahoo! Messenger 6 invite mailer was vulnerable and exploitable. (summer 2004) Yahoo! New Homepage invite mailer was vulnerable and exploitable. (autumn 2004) My Yahoo! Search link mailer is vulnerable and exploitable. (autumn 2004) -- http://www.geocities.com/n3td3v _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- My Yahoo! Search Spam Vulnerability xploitable (Oct 05)
- <Possible follow-ups>
- My Yahoo! Search Spam Vulnerability xploitable (Oct 05)