Martin Fallon wrote: <<big snip>> > > VI - CRONOLOGY > ---------------- > > 09/09/2008 - Vulnerability Discovered. > 09/10/2008 - Attempt to contact yahoo - no success. > 09/11/2008 - Attempt to contact yahoo - no success. > 09/15/2008 - Attempt to contact yahoo - no success. > 09/20/2008 - Advisore Published.
Sometimes I wonder why we bother... This has been used in the past (and maybe even to phish Yahoo -- not sure now). Several times. And reported thusly. Maybe Yahoo just doesn't care? They fixed this same redirector issue on other Yahoo sub-domains, but missed (or chose not to fix it on) the "login" sub-domain. The gibbons in their web dev teams must be seriously underpaid, or just don't care. The Yahoo! security wonks who got this fixed on the other sub-domains back in February will be a tad pissed at the gibbons for missing this instance though, I suspect... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
