Loading....
- Apocalipsa dupa Nemessis
- Cand dorinta de afirmare depaseste granitele bunului simt – PaxNwo un leecher ordinar
- Cum sa iti protejezi adresa e-mail si datele confidentiale din aceasta
- Mi s-a furat id-ul de messenger/adresa e-mail. Ce sa fac?
- Experiment social II – andimoisescu.ro
- Pentru posteritate
- In curand…
- “Hot” de id-uri messenger
- Chiar ca sunteti retardati
- Ce nu se invata la scoala – Vendetta (6)
Loading....
- Apocalipsa dupa Nemessis in (81 Visits)
- Ce servicii de mail folositi? in (28 Visits)
- This is the end in (23 Visits)
- Hackersblog.org is now blog.rstcenter.com in (17 Visits)
- Short news in (16 Visits)
- La multi ani România, la multi ani românilor in (15 Visits)
- Inca o pierdere de timp in (11 Visits)
- Azi este ziua userilor hackersblog.org in (10 Visits)
- Raportare vulnerabilitati in (9 Visits)
- Contact si vulns report in (7 Visits)
- Mi s-a furat id-ul de messenger/adresa e-mail. Ce sa fac? in (229 Visits)
- Hi5.com coders read this in (28 Visits)
- SMS scam (1) in (21 Visits)
- Phishing Bancpost in (8 Visits)
- Dezinformare sau proasta informare? in (7 Visits)
- Si tentativele de phishing pot fi amuzante in (5 Visits)
- Phishing Raiffeisen cu atasament html in (4 Visits)
- Cum sa iti protejezi adresa e-mail si datele confidentiale din aceasta in (76 Visits)
- [Utilitare] Suna gratis de pe internet sau de pe iPhone in (41 Visits)
- Despre CSRF, hi5.com, cum sa trisezi la concursuri s.a.m.d. in (30 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/Hi5 (4) in (29 Visits)
- Ce nu se invata la scoala - (D)DOS (5) in (24 Visits)
- Virusi in clipuri video [how to] in (23 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam/mail (2) in (21 Visits)
- Ce nu se invata la scoala - Tipuri si tehnici spam (1) in (17 Visits)
- Yahoo! redirects - a big issue (with video) in (10 Visits)
- Ca musca in... in (9 Visits)
- usa.kaspersky.com hacked ... full database acces , sql injection in (123 Visits)
- Simpatie.ro, matrimoniale3x.ro, apetisant.ro, deliciu.ro , etc Sql injection in (72 Visits)
- Yahoo! epic fail - permanent xss unleashed in (70 Visits)
- Telegraph.co.uk hacked, sql injection in (52 Visits)
- RedTube.com ... The Free Sex Video Community in (42 Visits)
- Kaspersky Thailand hacked by TinKode in (37 Visits)
- Conquiztador Hacked Again in (33 Visits)
- Telegraph.co.uk hacked - when will they learn? in (29 Visits)
- F-Secure.com - SQL Injection + Cross Site Scripting in (27 Visits)
- In atentia BitDefender.com, SQL Injection in (26 Visits)
- Wannabe Hackers [2] - cum sa faci un virus by sppy_hacker in (24 Visits)
- Wannabe Hackers [1] - Cum sa hack-uiesti RapidShare-ul in (20 Visits)
- Digital Photocopiers Loaded With Secrets in (15 Visits)
- Hacker Uses XSS and Google Street View Data to Determine Physical Location in (12 Visits)
- OWASP Phishing demo in (7 Visits)
- Oldies but goodies - Freedom Downtime - The Story of Kevin Mitnick in (7 Visits)
- Hope 2603 – Kevin Mitnick - Life a Computer Hacker – Revealed in (6 Visits)
- Christopher "moot" Poole: The case for anonymity online in (6 Visits)
- Owasp5005 Part1 - New zero-day browser exploits - ClickJacking in (5 Visits)
- [Video] The History Of Hacking in (5 Visits)
- Se poate sparge parola de Yahoo? in (257 Visits)
- phpBB.ro hacked in (81 Visits)
- Cand dorinta de afirmare depaseste granitele bunului simt - PaxNwo un leecher ordinar in (47 Visits)
- Experiment social in (46 Visits)
- "Hot" de id-uri messenger in (39 Visits)
- Oare cum e pana la urma? in (39 Visits)
- Experiment social II - andimoisescu.ro in (37 Visits)
- Ce nu se invata la scoala – Vendetta (6) in (37 Visits)
- Concurs fara premii in (36 Visits)
- Forumul Andreei Balan spart in (33 Visits)
Posted on February 10th, 2009
Reported by PaxNwo.
The injected script is still active and used for stealing yahoo accounts sessions. Do no access the domain unless you deactivate javascript in your browser and do not have an active session on your yahoo mail.
LINK: http://timetags.research.yahoo.com
The vulnerability is in the title of the posted remix.
Screenshots:
—————————————————————————–
Raportat de catre PaxNwo.
Scriptul injectat este inca activ si este folosit pentru a fura sesiunile active de la conturile Yahoo!. Nu accesati domeniul decat cu javascript dezactivat si delogati de pe mailul Yahoo! altfel puteti ramane fara contul mail.
LINK: http://timetags.research.yahoo.com
Vulnerabilitatea se afla in titlul “remixului” postat.
Screenshots:
February 10th, 2009 at 7:53 pm
ouch. eu as zice sa scoti linkul ala, ca sunt multi care or sa dea click fara sa citeasca?
February 10th, 2009 at 7:54 pm
Merci ca mi-ai zis. Era scos doar la ro version.
February 10th, 2009 at 9:14 pm
Dar daca cookie-ul de sesiune are atributul HttpOnly? Mai mere? Unele platforme (de ex. ASP.NET) au pentru cookie-urile administrate de framework atributul acesta automat, chiar de prin 2003 daca nu ma insel.
February 10th, 2009 at 9:18 pm
Si nu, XMLHttpRequest nu va merge ca o alternativa decat la platformele de cacat. Dupa cum scriam aici -> http://ha.ckers.org/blog/20070719/firefox-implements-httponly-and-is-vulnerable-to-xmlhttprequest/#comment-85043 numai platformele foarte maro ce emit cookie-ul de sesiune la fiecare raspuns HTTP sunt vulnerabile.
February 10th, 2009 at 9:50 pm
@Andrei: In primul rand, la Yahoo nu sunt HttpOnly. In al doilea rand, cum HttpOnly nu e un standard, nu toate browserele tin cont de acel atribut (Opera spre exemplu), in consecinta nu e indicat sa te bazezi pe HttpOnly. Mai bine iti securizezi site-ul.
February 10th, 2009 at 9:53 pm
Bineinteles ca validarea inputului si encodarea corecta a outputului sunt lucruri sfinte in functionarea unei aplicatii software. HttpOnly este nesuportat corect de cam nici un browser momentan si are statut de leucoplast. Totusi consideram oportun sa il mentionez.
February 10th, 2009 at 9:53 pm
super tare frate
, si yahoo si gugal au avut articole cu titlu epic fail =))
February 12th, 2009 at 12:25 am
aiurea că l-ai făcut public. mai bine îl vindeai
February 12th, 2009 at 2:26 pm
bine pax
))
February 12th, 2009 at 2:56 pm
my ass
, kenpachi l-o facut , ii dau la ciocatu lu pax.
March 1st, 2009 at 4:44 am
http://www.kaskus.us/showthread.php?t=1428092
someone steal your post
use google translate if you don’t understand
March 1st, 2009 at 3:29 pm
is neamuri de rRomi:)))
March 14th, 2009 at 12:14 am
Se pare ca nu mai merge linku http://timetags.research.yahoo.com