12:07 Job amateurish or how Yandex stores passwords | |
| Many (Habrough) people at risk "profukannyh all polymers, using Yandex services for the collection korrespondetsii or spam filtering to other mailboxes. The issue arose particularly acute when more recently in the Ya-line option appeared tracking multiple email accounts. If attackers vykradut \ pick up the keys to your uchetki, it is in their hands immediately will be secondary to appear \ passwords. As the guys from Yandex could prevent such a mistake, I'll never know. By the way, the situation is urgent for several years. Below is an illustration of the vulnerability. Topic prepared jeditobe, published by me, since the author did not have enough karma. This is the first of his post. 1.Zahodim in Yandex.Mail, then click on "Settings" link and type of mail. " 2.Vybiraem "classic" interface. 3.Zhmem references "settings" and "retrieval" 4.Podaem a page listing all the boxes, which monitors the garbage. 5.Vybiraem any of the concerned records by clicking on the link - opens a popup window with the settings. 6. Look in the source code of the contents of the pop-up windows, and among the few period we find some very interesting. Yandex uses for these pages, the protocol http://, which allows network traffic to intercept user names and passwords. UPD Moved to Information Security Blog UPD2 A staff member Yandex | |
|
| |
| Total comments: 0 | |