Yahoo worm amendment.
In doing a little more research into the Yahoo worm issue, probably my favorite thing about it is that Yahoo has made it next to impossible to circumvent this issue. You cannot simply stop rendering JavaScript and get around it, as that redirects you to their JavaScript required page.
It’s a little annoying that a company refuses to allow you to use their site with simple protection in place. Of course they do allow you to use the old site, but that really shouldn’t be forced on their users (of course there are ways around it, but it’s getting to the point where users are better off in Lynx and just forgoing the whole web2.0 experience). More and more applications will be written in this way… a high and low bandwidth version, and users will have to make the same choices they do in almost everything… more usability and less security or vice versa. It’s a hard choice.
June 12th, 2006 at 3:34 pm
Ok, it seems to be the time to say thanks to YAHOO! I never would say it’s a “good” thing to attack or exploit something like this but it’s very good Advertisement for the WebAppSec Community. It’s time that the world recognize that there are no longer only the dangerous BOFs, now there is a new Part in IT-Security (of course it’s not new but most of the admins all over the world not realized that yet :P)
I also have some exploits like this one for YAHOO! If a Blackhat will also find this Vuls. he can take over more then 4’000’000 Useraccounts on the vulnerable Sites and I think everyone who read this can think about some “funny” things an attack could do with something like this.
So let’s start in a new and very interesting era of Security.
It’s time for WebAppSec
PS: I’m not interested to share the exploits I’ve got but it seems that the admins of the sites don’t want to patch it
Sorry for my bad English and greetings,
Disenchant
June 12th, 2006 at 8:23 pm
You’re exactly right, Sven, and in the case of Yahoo, I think you are really talking the same statistics as Myspace. The likelihood of a large scale denial of service attack being successfully launched from a massive XSS worm would be highly probable in such an environment. 10 GET requests per second from 4MM computers is 40MM requests per second.
That’s a volume far greater than typical slashdot effects, and it could be sustained for a much greater timeframe, and could be far more focused. This really only becomes a problem with large sites, like Yahoo, and Myspace because of the sheer volume of users who already patron their websites.