Jump to content

Gaping security hole in Yahoo Mail


Recommended Posts

Changing the password doesn't make the link stop working 1. Launch Yahoo Messenger client (only tested the win32 version... should work on any version)2. Send an email to your yahoo account3. Click the read mail thing when it pops up in YIM. (make sure prefs->general->Automatically sign me in to Yahoo! Mail, blah blah when I click a link blah blah is set)4. Stop your browser from the redirect using method of choice5. Note URL, and accidentally distribute it.So, initially getting this URL requires access to a logged-in yahoo messenger, but still, the bad part is, *****THE LINK WORKS AFTER YOU CHANGE YOUR PASSWORD***** This was found when a version of Mozilla Firebird was breaking on the redirect page... the user copied the URL into his bugzilla report, and it was observed that anyone could access his email.new URL(the old one seems to have expired... so they allow you to log in for like a day with the same link).

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...