Advisories : My Yahoo! sends passwords in clear-text

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : My Yahoo! sends passwords in clear-text

Title:	My Yahoo! sends passwords in clear-text
Released by:	James Mancini
Date:	7th December 2000
Printable version:	Click here

  My Yahoo! sends passwords in clear-text

------------------------------------------------------------------------





SUMMARY



my.yahoo.com is a service provided by Yahoo! that allows people to view 

web pages customized for their preferences and access free web-based email 

services. There are two possible login procedures, an automated login 

function that provided based on cookies, and a HTML form based login. 

While the login credentials stored in the cookies are obfuscated, the HTML 

form based login to the service (and subsequent password verifications to 

access email and calendar applications) is done in clear-text, with no 

attempt to encrypt or obfuscate the password (see capture below).

It is therefore possible to compromise the email account by gaining access 

to the unencrypted form of the password, further if this password is used 

elsewhere (for example, for an additional email account) a much wider 

compromising can occur.



DETAILS



The lack of any attempt to obfuscate the password allows a trivially 

simple attack, sniffing of the passwords off any transit network, 

potentially compromising both the Yahoo! mail account as well as any other 

personal information stored in the user's profile (which includes gender, 

occupation, home address, work address, telephone and fax numbers, and 

other email account addresses). The seriousness of this issue is amplified 

due to the large number of unsophisticated Internet users who (unwisely) 

re-use passwords for mail accounts and other logins. 



While this may come as no surprise to security-aware sysadmins, many users 

are clearly unaware of this vulnerability. Many similar on-line webmail 

services use either SSL/TLS or a JavaScript MD5-based challenge-response 

mechanism to avoid transmitting the password over the network in its 

unencrypted form.



The HTTP headers and data contents of the POST form submission to the 

server are as follows (user IDs and passwords have been replaced with 

garbage data):



- - ---------------------------------------------------------

  POST /config/login?11d2t2v04l248 HTTP/1.1

  Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

application/vnd.ms-powerpoint, application/vnd.ms-excel,

application/msword, */*

  Accept-Language: en-us

  Content-Type: application/x-www-form-urlencoded

  Accept-Encoding: gzip, deflate

  User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

  Host: login.yahoo.com

  Content-Length: 150

  Connection: Keep-Alive

  Cache-Control: no-cache



 

tries=1&.src=&.last=&promo=&.intl=us&.bypass=&.partner=&.u=2vvm1bct25

s17&.v=0&hasMsgr=0&.chkP=Y&.done=&login=username&passwd=pass-word&.per

sistent=Y

- - ---------------------------------------------------------





ADDITIONAL INFORMATION



The information has been provided by   James 

Mancini.