A couple things - one, yahoo DOES send the password in plain text, you just have to capture it at the right time, and two, wether or not your users are logging in securely doesn't really matter, as it is REALLY easy to ARP poison, and then perform a man in the middle attack... you should try using ettercap instead of ethereal, to see this... ettercap supports full, automated ARP poisoning, as well as automating the mitm attack process... it supports SSH(Secure Telnet) and SSL(HTTPS) decryption and sniffing, as well as having a very well documented API for plugins... I guess my main point is that if you are having your users log in using "secure log in" for the express reason of making it so their password cannot be sniffed, it is pointless, as anyone can STILL sniff it! Nick J. Ethics Design nickat_private ethicsat_private ----- Original Message ----- From: "Jeremy" <prrthdat_private> To: <vuln-devat_private> Sent: Tuesday, August 27, 2002 3:10 PM Subject: Secure Yahoo logins Hello all, Recently, it has come to my attention that many of our users are using the standard login to access their yahoo accounts. I want to push a policy that requires them to use the secure login option instead. I would like to show my boss that you can capture the username and password by simply doing some sniffing. Well, to do a test I fired up ethereal and captured a session of me logging into a new yahoo account. What kind of suprised me is the password looks encrypted. My first guess was it was just base 64 mime encoded but that turned out to be wrong. Does anyone have any idea on how they encrypt their passwords or have any tools that will try and crack the passwords. My other question is if the passwords are encrypted why do they offer a secure login option? How does that increase security, other than adding a brief ssl session. Thanks, Jeremy
This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 20:57:54 PDT