How to Cracking Yahoo Accounts

I spent one morning looking at Yahoo’s mail security …here’s what I’ve found and how I did it…..
I created an account whilst dialed into sify(ISP). I logged out and closed my browser. On reopening the browser I pasted in the following URL:

http://mail.yahoo.com/py/ymTop.py?y=1

and this took me back to my account with out any error messages or prompts for a login. I then closed my browser, disconnected from SIFY (ISP)and dialed into Sancharnet(ISP). When connected I opened my browser and pasted the same URL:And was taken back to my mail-box! This made me think there must be a cookie controlling this…sure enough there it was. (1 of 3)

One, the user@mail.yahoo.com cookie in the rough looks like this :

YM.Login
id%3dreIvr96lzVC4g%26s id%3dtMZu7cDVk5V9e%250a%26ts%3dX%2588B%2540
%25f5%2517%25cd%2599%25dc%253f%259c%25c1Y
mail.yahoo.com/
0
4227368448

29309637
2474945552
29188238
*
YM.Pref
farm%3d1%26silo%3dms4%26
email%3dmail-name%40yahoo.com%26head%3dbrief %26fwd%3dattach%26fontsz
%3dnormal%26msgwidth%3d72%26order%3ddown%26inc%3d5 0%26goto
%3dmsgmail.yahoo.com/
0422736844829309637247514555229188238*
but with all the Hex stripped out it slightly more managable:

[YM.Login]
id=reIvr96lzVC4g &<>sid=tMZu7cDVk5V9e%0a &
ts=X%88B%40%f5%17%cd%99%dc%3f%9c%c1Y
mail.yahoo.com/0422736844829309637247494555229188238*

[YM.Pref]
farm=1 & silo=ms4 & email=mail-name@yahoo.com &
head=brief & fwd=attach & fontsz=normal &
msgwidth=72 & o rder=down & inc=50 & goto=msg
mail.yahoo.com/
0
4227368448
29309637
2475145552
29188238
*

After being logged off for around an hour I reconnected to the Internet and pasted that URL again and got back in……this made me suspicious. I clicked on exit and checked the whole “exit” document. Down the bottom I found a link :

Log off completely.

Nice of them to warn you and put it way down the bottom. Most new users will not realise that the log off process is a double action if you log off “completely” then the cookie is removed from the Temporary Internet Files directory.

What does all this mean ?
Security wise if you can get physical access to a machine that someone has used to collect their mail and not done the double log off then you can access their account perhaps ad infinitum (I don’t know yet if the cookie has a TTL so to speak). In practice this means you’ll be cracking a friend’s, work (or school) colleague’s or family member’s account. Good for snooping on your girlfriend’s e-mail activities too. Unfortunately you can’t copy it to a floppy disk and save it in your own computer’s Temporary Internet Files directory because of the “Embarrassed …What you’d need to do is copy it to a floppy anyway…so you’ve got what info you need…then, now here’s the complicated part :

Set your own PC up as a web server as well as a DNS server (if you’ve got NT Server your laughing). Create a DNS entry for mail.yahoo.com and use the loopback (127.0. 0.1). Then create an html file with the necessary script to impart a cookie with this same information. Connect to mail.yahoo.com (you’ll actually loop back) and the cookie will be downloaded to the Temp Net files Directory….

Courtesy of Hackoshit.com

0 comments: