The goal of this project is to collect a sizable amount of bugs (mostly within Messenger but server issues too) for submission to the Yahoo! Messenger development team. Obviously, not every bug will be one that is exploitable to cause trouble, either locally or remotely. The main focus, actually, is to get Yahoo! to digest the information more easily, therefore, in theory, increasing the probability that they _may_ fix the issues at hand. Like I've stated several times over the years, you literally have to hold their hand in order for them to patch vulnerabilities and even some bugs that aren't security holes. The aim is to present the information clearly, accurately, in detail (as much as possible), with reproduction steps to demonstrate the issue(s) with an assigned priority/severity level (think Defcon levels).
I'm not against full or partial disclosure, as I already stated previously in my last post, but, this project will keep really bad or critical vulnerabilities private with limited details regarding how to exploit them and how they work at least UNTIL Yahoo! themselves have been contacted first. Contacting the vendor first, in this case Yahoo! Inc., is considered responsible disclosure. If they are unwilling to work with me/us then that's when full or partial disclosure should be employed. These are the standard steps, in that order, that all responsible and considerate security researchers typically adhere to during the process of vulnerability disclosure. For example, the most widely known and used vulnerability mailing list (Full Disclosure, hosted and sponsored by Secunia) @
http://lists.grok.org.uk/full-disclosure-charter.html is populated with researchers (from Bugtraq and many places elsewhere) that more often than not comply with this industry standard procedure. This considerate and responsible disclosure is mainly used by security professionals that are labeled "White hats" as well as some that are "Grey hats". Hackers and researchers that are considered "Black hats" tend to release "0day" exploits without contacting the vendor at all, vulnerabilities that many of which are often severe in nature.
The disclosure policy I've mostly abided by in the past and tend to loosely follow (for serious and critical vulns) is Rain Forest Puppy's (a well known hacker) own policy he created in an attempt to standardize the entire disclosure process. Anybody who is interested in the details can read up on it here...
Short Wiki information on it -->
http://en.wikipedia.org/wiki/RFPolicyFull RFPolicy version 2.0 -->
http://web.archive.org/web/20071213205013/http://www.wiretrip.net/rfp/policy.htmlY!Mprovement, in no way, is meant to be a Yahoo! Chat specific Metasploit type of project (which is the largest, open source, exploitation-based framework for penetration testing). The purpose is to improve the Yahoo! Messenger chat client software and the chat servers (which includes voice, webcam, and the others), no exploitation-based framework is being built or hosted here. If I ever do start a pen testing exploitation framework then it will be a separate project entirely, one that would revolve heavily around code reuse that encapsulates both new and already existing exploitation methods and concepts.
Home
Login
Register