Peaches Posted September 23, 2009 Report Share Posted September 23, 2009 http://blogs.computerworld.com/horowitzMichael Horowitz Defensive Computing September 22, 2009 - 4:56 P.M. Poor programming makes Yahoo email insecure Yahoo email users beware, bad guys can guess your password. Of course, it may take lots of guesses, but that's not a problem, thanks to some poor programming by Yahoo. Original research by Ryan Barnett, director of application security research at Breach Security, was written up recently both on his blog and at The Register. If you enter too many wrong passwords on the Yahoo webmail logon page, it eventually puts up a CAPTCHA, forcing you to prove you're a human being and preventing automated guessing. Fine. However, there is another interface to Yahoo's email system, one that does not go through the well-designed login page. This alternate interface is a web application designed for Yahoo's partners. Companies that partner with Yahoo would like customers to be able to check their Yahoo email without transferring over to Yahoo. So, Yahoo offers a way to login without ever seeing a Yahoo.com web page. But this alternate login mechanism has a couple vulnerabilities. Perhaps the biggest issue is that bad guys can guess passwords forever without being interrupted by a CAPTCHA. In fact, they aren't interrupted at all. You would expect that after some number of wrong passwords, the account would be temporarily frozen to prevent automated guesses. Not here. full details at computerworld - http://blogs.computerworld.com/14786/poor_..._email_insecure Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.