General discussion

Locked

Security warning on login page of yahoo (and ...) website!

By mrizvandi ·
this is the security warning about login page of the more web sites that used the "remember me" option:

this security problem exist at many wide range of website that support "remember me"
read the story:

There is a wrong authentication with cookies on login page:
oh... please run step by step test at 2 computers:
1- (PC2) login to yahoo account
2- (PC2) change the password
3- (PC2) login to yahoo account with checked the "Keep me signed in"
4- (PC1) login to yahoo account (you cant because the password changed)
5- (PC1) reset password (using security questions and other way to reset the password)
6- (PC1) login to yahoo account
7- (PC2) open yahoo mail page (goto mail.yahoo.com) you can access the mailbox - remember at step 5 password changed but at PC2 you can access the mailbox.

ok (PC1 is your system and PC2 is hacker's system)
short story:
a hacker, hacked the mail account (with social hack or ...), change the password. the user wants to login the mailbox and he/she cant login because hacker changed the password. the victim has intelligence and goto the "forgot the password" section and reset the password with security question or alternative mail account, etc.
good. but hacker has still access to the account because hacker was login with the "Keep me signed in" option on login page. and the victim dosent know.
i think you have to change the "Keep me signed in" option to check the cookie, if password changed. (i think the site 2 weeks)

----------------------------
at first, i send the report to yahoo, but this is not yahoo problem. yahoo is a sample site.
i don't want to hack any site or site member's.
and i dont want say, i know how to hack the sites.
this is a problem on cookies checking on login process of many sites.

this is not exploit, virus or other malicious software, this is a wrong development of login process.
i just say, the problem on cookies test on login process.
this is a news and its not any threat from hacker, this is a warning for developers and users.

This conversation is currently closed to new comments.

15 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

????????

by NotSoChiGuy In reply to Security warning on login ...

How much password could a hacker hack if a hacker could hack password?

I think i have a headache now. Where's the intern with my coffee???

Collapse -

LOL

by Shellbot In reply to ????????
Collapse -

42 makes more sense...

by NotSoChiGuy In reply to LOL

...than the original post, that's for d@mned sure!

Collapse -

TechRerpublic is not Yahoo.

by CharlieSpencer In reply to Security warning on login ...

It's a big web. Are you sure you don't have your Yahoo credentials crossed up with some other site like TR, or Google, or Playboy?

Collapse -

Check

by mrizvandi In reply to TechRerpublic is not Yaho ...

check step by step on 2 computers, its better way to make sense the big problem.

Collapse -

Upon further review,

by CharlieSpencer In reply to Check

As I understand your question, you want to know what happens if a hacker changes someones password and that hacker has the 'Save password' option for that website.

You said the owner of the account changed the password. Therefore the one the hacker has saved won't work any more.

Collapse -

Go Palmy

by Shellbot In reply to Upon further review,

Good job deciphering :)

Collapse -

Apparently not.

by CharlieSpencer In reply to Go Palmy

But I'm not a Yahoo user and don't intent to pursue this any further.

Collapse -

This is not question

by mrizvandi In reply to Upon further review,

this is not question, this is a warning!
please read the step by step test.
thanks

Collapse -

Wow

by LarryD4 In reply to This is not question

Does that sound like a threat or what??

Back to Malware Forum
15 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums