>I remember trying that here using arpspoof and dsniff. It captured the >URL that was being used. From what I remember, the password was MD5 >encrypted, and it said so in the URL. But, that said, there's no need to >decrypt the password. Just paste that URL into your browser and it'll >bring you directly into the persons yahoo email account. In theory, the nonce is supposed to be use-once to prevent replay attacks like this. Typically it might also have encoded in it the IP address and some time after which it's invalid. So even if you could capture a hash that hadn't been used you'd have to spoof the persons IP address, and fairly quickly. Unfortunately none of this seems to be true, you /can/ indeed copy and paste the URL. You can do it from any IP address, and you can do it whether the person is logged in or not/has used that nonce or not. I've just noticed one of my old skool mates \o/ coded the MD5 implementation so I'll see if he knows anything about why the login procedure's a bit lame. However, it's all a little irrelevant because you can capture the session cookie on it's way back from the server after the login (if you logged in via SSL I presume this wouldn't be so). And it's all even more irrelevant if what Nick says is true, the password is sent in plaintext at some point. I'd be interested to see when and why. - Blazde
This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 09:13:41 PDT