October 7th, 2002, 09:34 PM
erm i dont know if this is a tried and tested exploit but heres something i stumbled accross.
I am trying to make a yahoo messenger program for my project and whilst researching how Yahoo authenticates its users i noticed that as the authentication is sent via http without encryption and that if you search using a crawler for part of that string all sorts of proxy server stats pages pop up showing the mostly viseted pages ... and the logon names and passwords for many yahoo users.
Im probably sayin something very old and boring or you cant even understand what i am trying to say but has anyone else noticed this?
October 7th, 2002, 09:51 PM
There are many security vulnerabilities associated with instant messaging. I am not sure if passwords are sent unencrypted for Yahoo but I know AIM utilizes weak encryption on the passwords and no encryption on the messages. Everyone should consider their conversations on instant messangers to be public domain! I have read a white paper that explains the various security vulnerabilities in instant messaging. It is too big to post here but search google for "X-Force_P2P.pdf" and you should get it. It goes through most P2P and IM application and outlines the security risks for each. A really good read!
October 7th, 2002, 10:38 PM
That link btw is here
I have seen what you are talking about with the Yahoo! IM. I was looking into how it did its authentication a couple of months ago and was kind of suprised to see my username and password passing around in the clear. (a simple GET /config/ncclogin?.src=bl&login=username&passwd=password&.... HTTP/1.1 ) I was also kind of suprised that there were telnet sessions associated with the client. I started looking at the contents but couldn't really tell what it was doing...there was very little useful there in the clear, but still found it interesting that your client would actually be using port 23 to connect to servers at yahoo...
I think I have seen it mentioned in the past that google had cached things of this nature before, not sure if it actually referenced the Yahoo! messenger either... Either way, just further illustration of why IM's can be a network/security managers nightmare (and why my group has elected to block them).
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)