[7599] in bugtraq
Re: Yahoo Pager auto-update
daemon@ATHENA.MIT.EDU (Sergiy Zhuk)
Mon Aug 10 16:40:44 1998
Date: Mon, 10 Aug 1998 13:01:55 -0700
Reply-To: Sergiy Zhuk <serge@YAHOO-INC.COM>
From: Sergiy Zhuk <serge@YAHOO-INC.COM>
X-To: Texan Hawk <r_claypo@CSUNIX1.LVC.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <35cbe4d9-r_claypo@wwivbbs.org>
hi
On Mon, 10 Aug 1998, Texan Hawk wrote:
> most likely have been to rootshell in the past while, but in case you havn't
> there was a program that would let you use the yahoo pager under anyone's
> account you chose. It appears as if yahoo's pager gets he pw from the client
> side and not the server itself. thusly if you load up this program it will log
> you i as anyone. You can't do anything except send instant messages, but if
message from the developer:
this is our top priority to fix. We've known about this for a little
while and should release a version this week which does checking both on
the client and server side for login/password
brian
BTW, is that a rule for Bugtraq posters and moderator to *not*
inform developers about security bugs before posting them here ?
It looks like it is now...
Note for "lazy" people:
Just imagine for one second that you're the developer who made the mistake
and imagine that thousands of people are using your product.
Don't say it couldn't be you, everybody could make a mistake.
Instead of describing how lazy you are, take exactly the same amount of time
to figure out what the proper address is or to fill out the web form.
rgds,
serge
--
+-------------------------------------+-------------------------------------+
| Sergiy Zhuk | serge@yahoo-inc.com |
| Technical Yahoo | +1-408-731-3546 |
| Yahoo!, Inc | http://www.yahoo.com/ |
+-------------------------------------+-------------------------------------+
