yahoo-pager-id.txt

`Date: Fri, 25 Dec 1998 09:31:21 -0600  
From: Nathan Neulinger <[email protected]>  
Reply-To: Bugtraq List <[email protected]>  
To: [email protected]  
Subject: Yahoo Pager - security bug w/ services 7,8  
  
I've been working on a GTK (unix) yahoo pager client based on Doug  
Winslow's yppro2.c source and found the following security problem while  
testing some client functionality.  
  
Any user can send a packet with service #7 or #8 and activate/deactivate  
an identity, even if it isn't your own alternate identity. It does  
appear that the primary id for the identity affected has to be logged on  
though.  
  
If you send a message to that id, it does go to the correct destination.  
  
The problem is, it can be abused simply by someone logging on and  
deactivating an identity for someone else, which makes it look like that  
id logged off.  
  
The fix - when your server handles a id-activate/id-deactivate service  
request, it should make sure that request is coming from the primary ID  
for that identity. (You should be able to do that without a protocol  
version change.)  
  
-- Nathan  
  
-------------------------------------------------------------------------  
  
Date: Tue, 29 Dec 1998 12:35:02 -0600  
From: "Neulinger, Nathan R." <[email protected]>  
To: [email protected]  
Subject: followup on yahoo pager security problem  
  
  
Just wanted to let everyone know, I heard from one of Yahoo's engineers. He  
applied a fix to the server source, and it will be getting put in place on  
the next server upgrade.  
  
This is in regards to the service 7/8 identity activation problem.  
  
-- Nathan  
  
------------------------------------------------------------  
Nathan Neulinger EMail: [email protected]  
University of Missouri - Rolla Phone: (573) 341-4841  
Computing Services Fax: (573) 341-4216  
  
`