Sergiy Zhuk wrote: > > hi > > On Mon, 10 Aug 1998, Texan Hawk wrote: > > > most likely have been to rootshell in the past while, but in case you havn't > > there was a program that would let you use the yahoo pager under anyone's > > account you chose. It appears as if yahoo's pager gets he pw from the client > > side and not the server itself. thusly if you load up this program it will log > > you i as anyone. You can't do anything except send instant messages, but if > > message from the developer: > > this is our top priority to fix. We've known about this for a little > while and should release a version this week which does checking both on > the client and server side for login/password > > brian > > BTW, is that a rule for Bugtraq posters and moderator to *not* > inform developers about security bugs before posting them here ? > It looks like it is now... This isn't a bug it's a design flaw. I believe there's a difference, no? The developers must have been perfectly aware that authentication only happens on the client side, how could they not have been? How could that have 'accidentally' happened? Users have the right to know these things about the products and services they use, don't you think so? What you've quoted tells me that the developers were already well aware of the consequences of their poor implementation anyway. -- +--------------------------+ | Jay Barnes | jayat_private | +--------------------------+
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:56 PDT