[7601] in bugtraq
Re: Yahoo Pager auto-update
daemon@ATHENA.MIT.EDU (Jay)
Mon Aug 10 18:43:18 1998
Date: Mon, 10 Aug 1998 18:18:45 -0400
Reply-To: Jay <jay@NDI.NET>
From: Jay <jay@NDI.NET>
X-To: Sergiy Zhuk <serge@YAHOO-INC.COM>
To: BUGTRAQ@NETSPACE.ORG
Sergiy Zhuk wrote:
>
> hi
>
> On Mon, 10 Aug 1998, Texan Hawk wrote:
>
> > most likely have been to rootshell in the past while, but in case you havn't
> > there was a program that would let you use the yahoo pager under anyone's
> > account you chose. It appears as if yahoo's pager gets he pw from the client
> > side and not the server itself. thusly if you load up this program it will log
> > you i as anyone. You can't do anything except send instant messages, but if
>
> message from the developer:
>
> this is our top priority to fix. We've known about this for a little
> while and should release a version this week which does checking both on
> the client and server side for login/password
>
> brian
>
> BTW, is that a rule for Bugtraq posters and moderator to *not*
> inform developers about security bugs before posting them here ?
> It looks like it is now...
This isn't a bug it's a design flaw.
I believe there's a difference, no? The developers must have been
perfectly
aware that authentication only happens on the client side, how could
they not
have been?
How could that have 'accidentally' happened?
Users have the right to know these things about the products and
services they
use, don't you think so?
What you've quoted tells me that the developers were already well aware
of the consequences of their poor implementation anyway.
--
+--------------------------+
| Jay Barnes | jay@ndi.net |
+--------------------------+
