gammarays has release a paper and a video showing proof of concept on how to bypass yahoo security by simply generating his own cookie and totally leaving login.yahoo.com out of the picture.....If you own a yahoo account, then this may be of a concern to you.....Doesn't surprise me that something like this would happen to another microsoft shop...seeing as this is only one layer user authentication....Security matters...I hope they resolve this issue faster than I can finish playing bee on guitar hero...Who needs to hijack cookie when you have yahoo cookie generator, eh...Next we should see viruses and spam coming from your trusty contacts... Just like CAPTCHA, I tell you. It's not in the algo you use to construct the image. It's in how you present it to the user that determines it's strength.
edited:
video:
milw0rm.com/video/watch.php?id=84
paper:
milw0rm.com/papers/270
more on this from Rizki:
ilmuhacking.com/web-security/yahoo-session-cookie-generator/
1 comment:
VIDEO IS FAKE.
YOU CAN TELL BY WATCHING CLOSE
NO CLOCK IS SHOWN BUT
WHEN THE COMMAND PROMPT IS OPEN. IT APPEARS AFTER THE FLASH WINDOW. BUT WHEN THE FIREFOX WINDOW OPEN WITH EITHER THE MAIL IT APPEARS BEFORE THE FLASH WINDOW, HENCE THE RECORDING WAS STOPPED AND THEN STARTED AGAIN.
Post a Comment