- Hello f0lks, sorry for being late but Here comes the rain again :)
- This is ViruS_HimA [From Egypt with love] :)
- get in touch on adam.theruler<'at'>yahoo
- First of all let me clear some points:
- 1- I'm one person not a group!
- 3- I've published only little records for Adobe and I will never use/share/sell/publish Adobe/Yahoo data/exploits anywhere,
- Yes it's a promise.
- As i said i'm not looking to ruin anybody business, I've stopped black hat activities long time ago and will never be a black hat again.
- Why? because long time ago i started working as a security researcher and penetration tester in legal manner with legal companies,
- so I'm not looking to ruin my career/reputation because of such activities.
- #Oh man you already published emails from Adobe DB, little records yes but this was illegal? it's better to report such things for
- vendors not to publish on the internet?!
- This is a good question.
- I'm very active vulnerability researcher, i'm doing vulnerability researches every single minute in every single hour in every single day.
- Because of that, i have found tens of 0days vulnerabilities in big web sites such as Adobe/Micorsoft/Yahoo/Google/Apple/Facebook and many more,
- As I said I've stopped black hat activities long time ago, I started reporting the vulnerabilities to the vendors.
- Google was great in fast reply and patch release. same goes with some others. But for Adobe and Yahoo they were so slow in reply
- and fix, You know what? Yahoo never reply for my message!
- So i decided to teach both of them a hard lesson to harden them security procedures. It would make a disaster if such companies
- vulnerabilities was privately used in the underground and they never know about it! not only their customers been affected but the vendors themselves also suffer from such exploits.
- Adobe acrobat/flash, Yahoo data leak of that 400k emails, and that hotmail remote password reset vulnerabilities is an example.
- When i thought to teach Adobe the lesson I said to myself, if i won't publish a strong proof of concept for the vulns so i won't gain any
- trustworthy or reputation for my notes! also if i published only adobe emails so they would deny the leak and say
- it's randomly generated emails or collected from different DB's which is not related to Adobe DB's!
- But if i leaked more emails specially if it's a critical emails like .mil they will move 10x faster for patching the vulnerabilities
- and will be forced to take better security procedures. And yes, this is what really happened!
- they investigated the case, shouted-down the vulnerable web site, Emailed me in the same day asking for vulnerability details,
- I sent them the details and they said we are working to patch it and to amendment our security!
- God dam it! such things was taking 3-4 months in the vulnerabilities i reported to them before!
- Now all this things done in only one day! now you know why i did that and that i was right in everything i did?
- Here we go for Yahoo. but this time i will publish proofs only without publishing data like in Adobe case,
- I already gained the trustworthy I was looking for.
- ~ Leaks contains:
- Full files backup for one of Yahoo domains!! [Lead to full access on the server of that domain]
- Full access to "12" of Yahoo Databases!! [Lead to full access on the server of that domain]
- Reflected-XSS(Cross Site Scripting) vulnerability.
- ~ Full files backup for one of Yahoo domains ~
- IMG1: http://tnypic.net/e5wsf.jpg
- [if removed] : http://s15.postimage.org/5y28oreor/image.jpg
- IMG2: http://tnypic.net/9v3dk.jpg
- [if removed] : http://s11.postimage.org/6frqpm2o3/image.jpg
- ~ An SQL Injection vulnerability in one of Yahoo domains ~
- IMG1: http://tnypic.net/t7am1.jpg
- [if removed] : http://www.m5zn.com/img/?img=7cff83cbe4970da.jpg
- Hints for DB's names: Pr***tionH**s, k*az*y << fair eh?
- ~ XSS(Cross Site Scripting) vulnerability ~
- IMG1: http://tnypic.net/la2va.jpg
- [if removed] : http://www.m5zn.com/img/?img=1693cee8ae3d2a4.jpg
- 1- I'm not the one on the news who is selling the Yahoo xss for 700$, you may noticed that his name is "TheHell"
- idk why that krebsonShitz is linking me to that attack! why i don't sell things I got here? while it's awesome stuff not just XSS!!!
- 2- I'm not planning to do any more leaks soon!
- Hey Yahoo! you have to think well about making Hall of fame for security researchers
- because this will get you much reports for your vulnerabilities.(just a suggestion!)
- Always be proactive not reactive in safeguarding your critical data.
- ~ By ViruS_HimA ~
- ~ Shoots:
- Big shoots for (WZ) davai davai moy drog :P
- BlueKaizen Team specially Mo3tz :) << Couldn't to attend this year but heard it R0xed like a charm!
- Synabse Team Specially Obzy & Sud0 :P
Yahoo data leak by Virus_Hima
a guest Dec 15th, 2012 12,242 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
RAW Paste Data