hi On Mon, 10 Aug 1998, Texan Hawk wrote: > most likely have been to rootshell in the past while, but in case you havn't > there was a program that would let you use the yahoo pager under anyone's > account you chose. It appears as if yahoo's pager gets he pw from the client > side and not the server itself. thusly if you load up this program it will log > you i as anyone. You can't do anything except send instant messages, but if message from the developer: this is our top priority to fix. We've known about this for a little while and should release a version this week which does checking both on the client and server side for login/password brian BTW, is that a rule for Bugtraq posters and moderator to *not* inform developers about security bugs before posting them here ? It looks like it is now... Note for "lazy" people: Just imagine for one second that you're the developer who made the mistake and imagine that thousands of people are using your product. Don't say it couldn't be you, everybody could make a mistake. Instead of describing how lazy you are, take exactly the same amount of time to figure out what the proper address is or to fill out the web form. rgds, serge -- +-------------------------------------+-------------------------------------+ | Sergiy Zhuk | serge@yahoo-inc.com | | Technical Yahoo | +1-408-731-3546 | | Yahoo!, Inc | http://www.yahoo.com/ | +-------------------------------------+-------------------------------------+
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:55 PDT