On Tue, 8 Apr 2014, David Blank-Edelman wrote:
On Apr 8, 2014, at 9:48 AM, Paul Graydon <[email protected]> wrote:
There is ample proof this morning that it can be used to acquire yahoo
credentials with ease as Yahoo remains unpatched.
So I’ve seen the screen shot too that went around, but I have to admit, I’m
curious about the mechanics behind that. Would anyone care to speculate just
how you use this bug to grab credentials in that way from them? I can hazard a
partial guess, but I’d like to hear if others have any more technical detailed
thoughts on how this was done.
Basically, this bug allows you to dump the entire address space of the server
and then go digging through it.
So anything the server knows at that instant (including end-user passwords and
other form data) can be dug out by the attacker if they are determined enough.
How hard or easy this is depends on a lot of things, but certs are stored in
fairly standard places, so you should create new certs (and new passphrases to
go along with them) if you think you may be a target of _anyone_
David Lang
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
