[ SOURCE: http://www.secureroot.com/security/advisories/9761913966.html ] My Yahoo! sends passwords in clear-text ------------------------------------------------------------------------ SUMMARY my.yahoo.com is a service provided by Yahoo! that allows people to view web pages customized for their preferences and access free web-based email services. There are two possible login procedures, an automated login function that provided based on cookies, and a HTML form based login. While the login credentials stored in the cookies are obfuscated, the HTML form based login to the service (and subsequent password verifications to access email and calendar applications) is done in clear-text, with no attempt to encrypt or obfuscate the password (see capture below). It is therefore possible to compromise the email account by gaining access to the unencrypted form of the password, further if this password is used elsewhere (for example, for an additional email account) a much wider compromising can occur. DETAILS The lack of any attempt to obfuscate the password allows a trivially simple attack, sniffing of the passwords off any transit network, potentially compromising both the Yahoo! mail account as well as any other personal information stored in the user's profile (which includes gender, occupation, home address, work address, telephone and fax numbers, and other email account addresses). The seriousness of this issue is amplified due to the large number of unsophisticated Internet users who (unwisely) re-use passwords for mail accounts and other logins. While this may come as no surprise to security-aware sysadmins, many users are clearly unaware of this vulnerability. Many similar on-line webmail services use either SSL/TLS or a JavaScript MD5-based challenge-response mechanism to avoid transmitting the password over the network in its unencrypted form. The HTTP headers and data contents of the POST form submission to the server are as follows (user IDs and passwords have been replaced with garbage data): - - --------------------------------------------------------- POST /config/login?11d2t2v04l248 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */* Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: login.yahoo.com Content-Length: 150 Connection: Keep-Alive Cache-Control: no-cache tries=1&.src=&.last=&promo=&.intl=us&.bypass=&.partner=&.u=2vvm1bct25 s17&.v=0&hasMsgr=0&.chkP=Y&.done=&login=username&passwd=pass-word&.per sistent=Y - - --------------------------------------------------------- ADDITIONAL INFORMATION The information has been provided by James Mancini.