illmob.org

Saved Password Locations

November 25th, 2008 by admin in Firefox, Password Info, Trillian, windows, Yahoo

Many people ask about the location in the Registry or file system that applications store the passwords. Here is a list of password storage locations for popular applications compiled by Nir Sofer.
Be aware that even if you know the location of the saved password, it doesn’t mean that you can move it from one computer to another. many applications store the passwords in a way that prevent you from moving them to another computer or user profile. (more…)

Change Your Yahoo Email

October 30th, 2008 by admin in News, Privilege Escalation, Yahoo

The month’s victim comes courtesy of Yahoo, or should I say Yahoo’s HotJobs.com. On October 28th, popular internet research and analysis company Netcraft discovered a vulnerability on the Yahoo site that was being exploited to steal user authentication cookies. These cookies contain user login credentials that can be used to access any of Yahoo’s services, including e-mail. These cookies were being sent remotely to a site in the United States under the control of the attacker.

Yahoo has since corrected the flaw and released the following statement to netcraft:

The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft’s assistance in identifying this issue.

As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.

How it happened:

The attacker managed to find a flaw at hotjobs.yahoo.com that allows visitors to inject obfuscated JavaScript into the page. The script can be configured to steal authentication cookies. The authentication cookie can then be used to allow the attacker to pose as the user.  This type of attack, and loyal netleets readers already know, is called cross-site scripting. Earlier in the year netcraft found a similar flaw at ychat.help.yahoo.com.

This attack was probably executed using the CookieMonster tool that has recently affected netflix.com and bankofamerica. CookieMonster is a cookie stealing toolkit that works with both http and https sites. It siphons authentication cookies from vulnerable sites. These cookies can be used to hijack a users account.

Theregister.co.uk best describes CookieMonster as follows:

The vulnerability stems from website developers’ failure to designate authentication cookies as secure. That means web browsers are free to send them over the insecure http channel, and that’s exactly what CookieMonster causes them to do. It does this by caching all DNS responses and then monitoring hostnames that use port 443 to connect to one of the domain names stored there. CookieMonster then injects images from insecure (non-https) portions of the protected website, and – voila! – the browser sends the authentication cookie.

A CookieMonster blog listed several popular sites that were allegedly vulnerable back in September. Those sites include southwest.com, expedia.com, usairways.com, register.com, newegg.com, ebay.com, any many many more.

What can be done:

In addition to the steps outlined in this XSS tutorial, sites that contain cookies for authentication must not allow cookie values to be translated on the client side. In the early days of cookie based authentication, many sites simply stored authentication information in the cookie, which can be read in any text editor. Today, cookies merely act as a reference point for server side authentication, however if the cookie can be used from any client, it defeats the purpose of even hiding the true value.

Perhaps the easiest thing that could have been done on Yahoo’s part would have been to configure their site to use http-only or https-only cookies. If only http is allowed, malicious javascript cannot be injected.

Via: netleets.com

Yahoo, Hotmail, Gmail all vulnerable to password-reset hack

September 22nd, 2008 by admin in Google, News, Password Info, Yahoo

How can you prevent a Palin webmail hack from happening to you? The short answer: you can’t.

Yahoo has no immediate plans to overhaul its e-mail security procedures after a hacker last week gained access to Sarah Palin’s private Yahoo Mail account, the company said Monday. Instead, it is reviewing security processes on an industry-wide basis.

Yahoo Mail isn’t the only Web-based mail service that could be duped into giving up someone else’s account password, the tactic that some have argued was used to break into Gov. Sarah Palin’s e-mail earlier this week.

Google Inc.’s Gmail, Microsoft Corp.’s Windows Live Hotmail and Yahoo Inc.’s Mail all rely on automated password-reset mechanisms that can be abused by anyone who knows the username associated with an account and an answer to a single security question, according to quick tests run by Computerworld.
(more…)

Yahoo Messenger

March 27th, 2008 by Dev Team in Password Info, Yahoo

The old Yahoo Messenger, i think prior to 7.0 ,used to keep the encrypted password in the registry HKEY_CURRENT_USER\Software\Yahoo\Pager under a key called
“EOptions String” this can be decrypted by using Yahoo’s own dll located in the Yahoo Install directory “ycrwin32.dll” (more…)