I've been working on a GTK (unix) yahoo pager client based on Doug Winslow's yppro2.c source and found the following security problem while testing some client functionality. Any user can send a packet with service #7 or #8 and activate/deactivate an identity, even if it isn't your own alternate identity. It does appear that the primary id for the identity affected has to be logged on though. If you send a message to that id, it does go to the correct destination. The problem is, it can be abused simply by someone logging on and deactivating an identity for someone else, which makes it look like that id logged off. The fix - when your server handles a id-activate/id-deactivate service request, it should make sure that request is coming from the primary ID for that identity. (You should be able to do that without a protocol version change.) -- Nathan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:23 PDT