Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking Web Services

Posted by Hemos on from the getting-it-work dept.

siduri writes "Udi Manber, chief scientist at Yahoo!, gave a great talk on the kinds of hacks that Yahoo sees at the IEEE's Symposium on Security and Privacy. I wrote an overview of his talk for Dr. Dobb's Journal. While some of the message is well-known stuff (like that people will spend a lot of time hacking the most trivial things), the details of what Yahoo has to deal with are really pretty interesting."

1 of 226 comments (clear)

  1. Yahoo's problems... by Jace+of+Fuse! · · Score: 5, Informative

    Yahoo's problems are massive, and I think it's good that at least SOME people at Yahoo realize it, even though I'm still not convinced they are aware of the full scale of the problem.

    After all, if you chat with Yahoo's service, you're eventually going to be booted off by another user. Some of the methods users use to exploit the system and kick off other users are clever, some are not so clever.

    One method involves running a program easily downloaded off of the internet and typing in the desired victims name. It's your basic "Punter". Some of the programs available are effective at removing users of Yahoo's Messenger, while a few of the more recent ones do a good job taking out users who use 3rd party Yahoo clients, or even Yahoo's web-based Java client.

    These methods of exploitation are half-way understandable, though I don't see why Yahoo hasn't worked to block the attacks in the same way that AOL has with AIM.

    The other method, plain old boot-text, is simply unacceptable.

    If I were chatting with someone using Yahoo Messenger and they annoyed me, all I would have to do is send them a single URL with an unrealistically long domain name in it, and their Yahoo Messenger will crash. A URL such as www.xxxxx.com with about 400 to 500 X's in the name will work nicely.

    It's a relatively simple matter for the end user to set up a personal word-filter on their messenger and block out all occurences of "www." which effectively makes them invulnerable to this attack, but that is not the issue. The issue is, that if Yahoo has such easily exploitable end-user software, I'm very worried about the quality of their security as a whole.

    Think about it.

    --

    "Everything you know is wrong. (And stupid.)"

    Moderation Totals: Wrong=2, Stupid=3, Total=5.