Author Topic: *NEW* The "Y!Mprovement" Project  (Read 2879 times)

0 Members and 0 Guests are viewing this topic.

Offline Adam X

  • Developer
  • Administrator
  • 1337
  • *
  • Posts: I am a geek!!
  • "I can hit a target through a telescope!"
  • Location: Ohio
*NEW* The "Y!Mprovement" Project
« on: June 27, 2011, 02:27:20 am »
Today, I'm announcing the creation of an open project that welcomes all contributors of the Yahoo! Chat community, specifically Yahoo! Messenger users, for their cooperation and input. Having 3rd party Yahoo! Chat developers on-board would be all the merrier. This new project has one goal, and it's simple, to improve Yahoo! Messenger and Yahoo!'s chat servers in any and every way we possibly can. While we don't have the source code to Yahoo! Messenger or their chat servers, we can still collect bugs, find glitches, and security vulnerabilities (which will be handled with higher priority, and some may need to be reported privately if they're of critical/severe nature) for categorization and submission to Yahoo!'s chat development team (Yahoo!'s Security and Privacy departments being applicable as well).

The Y!Mprovement project will be in the public domain, with the exception of privately disclosed security vulnerabilities of the aforementioned nature (only 'critical' or 'severe' natures need be private), for all to add to and for reference purposes in general. In essence, this will be the creation of a centralized, actively maintained, and reputable repository for bug tracking and for listing client/service improvements. The project will aim to cover LOTS of issues with the Windows version of the Yahoo! Messenger client, but will not be limited to just the client itself. Ideas/suggestions for improvement of existing Messenger features and reporting bugs/issues effecting the chat servers themselves are equally as welcome.

Implementation: The project can start here on our forums and branch out to it's own public Wiki and/or through a bug tracking system, such as Flyspray. Each issue reported will be verified accordingly (by myself and others) so it's able to be confirmed to exist within the proper environmental stimuli through the necessary means (steps/procedures) of reproduction. Each issue and improvement proposal will be categorized by type for organization. Priority scheduling can (and should) be used to rank importance of each confirmed issue/bug reported. For example, the audience affected will be of great importance due to the fact that some issues may be broader than others, such as issues pertaining to the chat servers themselves, which may globally apply to all Messenger versions and builds. These will be ranked higher on the "Needs Fixed" scale than client-specific bugs and issues in most cases, not necessarily all cases.

Goal: To improve (obviously) the most current version and build of Yahoo! Messenger and the Yahoo! chat system and network as a whole. Submissions concerning the client should only apply to the Windows US-based version of Yahoo! Messenger. Bugs dating years back that still exist can and should be listed, preferably first, as well as any new ones discovered. Reported issues can range from slightly annoying to extremely severe, both in the context of security, privacy, and client<->network operation (ie. a crippling bug that needs to be addressed by the Messenger development team).

Procedure/Steps for Reporting: All volunteers can report issues to the list. Including as many details as possible would be strongly appreciated. Hunting for new/unknown bugs independently, or jointly, would be extremely helpful. I will do much of this on my own and will collaborate with whomever, which, in fact, is strongly encouraged. A forum will be opened for users to start listing bugs and the issues they've found and isolated. After a sizable amount of bugs have been reported I will confirm each one, if possible, to make sure they're verifiable and able to be reproduced by Yahoo!'s development team for fixing. Any volunteer is welcome to try and confirm the issues themselves and report back to the forum with the results.

Lastly, if you are a technical user, researcher, or developer, feel free to include a proposed fix/solution to each issue you've reported. By doing the grunt work for Yahoo!, it will potentially make this project that much more useful to them as a valuable resource. The bugs will have already been identified, isolated, confirmed, and listed with/without additional proposed solutions to fix them.

Messenger feature and service improvement suggestions will be handled separately since they will be lower priority to Yahoo!'s development team, I can assure you of this. They've never been too good about taking user feedback into account regarding new features and improvements but collecting and aggregating many bugs into a single reference point (open document project model) is something that I believe will be much more successful. Rather than receiving scant, scattered, mostly publicly unverified reports from random chat users, we will have and maintain the master list of all that are known and newly discovered with the required existence confirmation procedure already handled for them.

-Each reported issue must have reproduction steps attached upon submission so they can be investigated and verified by myself and other project volunteers.

-Platform details such as your operating system version and edition (32/64-bit), service pack, and other relevant environmental details must also be included.


I will open the Y!Mprovement Project's forum immediately so we can start building a good foundation of issues that need to be addressed by Yahoo!'s respective departments. Hopefully, our list will grow and serve as an important asset to the Yahoo! Chat team for improving, and above all, actually fixing these issues with their client and servers. We ALL could benefit from this project, not just YTK users, but everyone using the entire Yahoo! Chat network, regardless of the operating system, and of course the (Windows) Yahoo! Messenger users directly. 8)

If the forums are down, which recently they've been quite unreliable (more on this later), you can alternatively e-mail me your bug or improvement suggestions directly. You may e-mail me them here --> security@ytkpro.com ~Text files ONLY!

Let the Collaboration Begin!! ;D

Share on Facebook Share on Twitter


Clusterphuck

  • Guest
Re: *NEW* The "Y!Mprovement" Project
« Reply #1 on: June 27, 2011, 03:24:51 am »
Wiki would be best, I'm thinking.

SomeGuyFromCanada

  • Guest
Re: *NEW* The "Y!Mprovement" Project
« Reply #2 on: June 27, 2011, 03:36:16 am »
Confirmed bugs posted on their very own Wikipedia page.

Offline Adam X

  • Developer
  • Administrator
  • 1337
  • *
  • Posts: I am a geek!!
  • "I can hit a target through a telescope!"
  • Location: Ohio
Re: *NEW* The "Y!Mprovement" Project
« Reply #3 on: June 28, 2011, 02:25:04 am »
^ That would be some funny ****. ;D They'd have one BIG Wiki page then, bigger than it is right now certainly.

Offline Dermot

  • Registered User
  • *
  • Posts: 24
Re: *NEW* The "Y!Mprovement" Project
« Reply #4 on: August 02, 2011, 02:31:48 pm »
While the original motive of this agenda is noble, I've seen what you all do with exploits and it ain't reporting them, well not until others figure them out and broadly exploit them.

What about this Initiative fixes or changes your reaction to this issue? 

Clusterphuck

  • Guest
Re: *NEW* The "Y!Mprovement" Project
« Reply #5 on: August 02, 2011, 06:51:35 pm »
Contrary to what you believe, Adam has and still does report vulnerabilities behind the scenes, especially once they become public or if they're really serious in nature. He has a direct line to a engineer so he could potentially get any vulnerability patched pretty quickly.

However, they have in the past not listened to Adam's advice in fixing certain things, like the 'buffer boot' crap.
« Last Edit: August 02, 2011, 06:56:06 pm by Clusterphuck »

Offline Adam X

  • Developer
  • Administrator
  • 1337
  • *
  • Posts: I am a geek!!
  • "I can hit a target through a telescope!"
  • Location: Ohio
Re: *NEW* The "Y!Mprovement" Project
« Reply #6 on: August 02, 2011, 08:01:17 pm »
Clusterphuck, that's because I haven't reported the buffer boot vulnerability exploitation details yet. I still have my write up waiting to be sent in to them. I will certainly submit it though, soon, along with several other SERIOUS, one of which is critical, vulnerabilities which I obviously won't be sharing here. Two of these are ban exploits, one is a XSS vuln (stealing cookies, ETS/Eoptions string encoded pass from the registry if it's there, etc), and some others.

I will kick this project off very soon and it will, or at least should, be quite helpful to the Yahoo! Messenger development team. Right now I've been really busy with other things, including the next build of YTK Enhanced and another project I'm working on on the side.

Offline Adam X

  • Developer
  • Administrator
  • 1337
  • *
  • Posts: I am a geek!!
  • "I can hit a target through a telescope!"
  • Location: Ohio
Re: *NEW* The "Y!Mprovement" Project
« Reply #7 on: August 02, 2011, 08:12:11 pm »
Dermot, which specific exploits are you referring to? I generally will only report vulnerabilities and privacy issues if they've become public or are close to being public, but there are exceptions of course (such as severe/critical ones I know about or have found myself). Unlike Dazza, I don't share exploits for 'fame' or so people can abuse them to have "fun", eventually leading to them being patched. I believe it's the wrong way to go about it, however, there have been a few cases in the past where I have done this (WAP Mobile single packet server-side boots, etc).

I believe in both full and partial disclosure, but only after the vendor (in this case Yahoo! Inc.) has been contacted first. If they're willing to work quickly to patch severe and critical vulnerabilities then I don't need to make them public. Some of the ones I've publicly released over the years have taken no longer than 24-48 hours to patch. Other people's exploits, some having been widely abused for long periods of time, can take months for Yahoo! to notice and patch.
« Last Edit: August 02, 2011, 08:14:37 pm by Adam »

Clusterphuck

  • Guest
Re: *NEW* The "Y!Mprovement" Project
« Reply #8 on: August 02, 2011, 08:44:00 pm »
Well damn, I thought you informed them and they never replied, haha. It'd be like them to do.

Offline TPLSolutions

  • Y!Epic Author
  • Registered User
  • *****
  • Posts: 3
Re: *NEW* The "Y!Mprovement" Project
« Reply #9 on: August 04, 2011, 06:45:16 pm »
Hello,

I personally at one point agreed with entirely fixing the system, now my view is actually varied.

I don't have a huge deal to add to this thread and I will refrain from being childish.

However I will state clearly that it is my opinion, although I cannot and will not attempt to speak for him, that Dazza did not release anything until the Yahoo! drama circle of self proclaimed hackers and gods grew to the point where, it was sheerly hilarious to watch them decimate eachother in a futile attempt to look better than they are, and more knowledgeable. I defend Dazza because there have been several years of misunderstandings and unlike 95% of the forum users, I can vouch for him as a programmer.

My outlook more matches Dazza's than that of this thread, and that is what Yahoo! have achieved. I used to try and be the good guy too.

When people take take take, rip your techniques, rebadge then claim you write malicious code, eventually there is no option but to revoke their access and privileges to utilise your works and efforts to protect them, just so they can talk mad smack and look good. I went through the same thing as the aforementioned exploitologist did, so I know exactly why he does what he does, and I absolutely support that route. Make no mistake about it. ;)

Such is life.

There is only one policy to adopt going forward. No mercy. ;)

Thank you,

Lee.

Clusterphuck

  • Guest
Re: *NEW* The "Y!Mprovement" Project
« Reply #10 on: August 04, 2011, 06:59:40 pm »
I personally couldn't care less anymore. I hope Yahoo destroys itself.

Offline Kris

  • Registered User
  • *
  • Posts: 15
  • Gamer
  • Location: On Steam Gaming
Re: *NEW* The "Y!Mprovement" Project
« Reply #11 on: August 04, 2011, 07:21:09 pm »
i agree with you.. there's nothing that can be said or you can do its just the same thing diffrent day.

Intel(R) Core(TM) i7 CPU X 990 Hex-Core @ 3.47GHz
Asus Rampage III Extreme
6GB (3x2GB) DDR3 Corsair Dominator-GT @ 2000 MHz
ATI Radeon HD 5970 2GB
Windows 7 Ultimate SP1 64-bit
Steam Version: 1634 / 1634
Win Bus Messenger Version 28, Build 105
Y!Epic 1.0.123.603 [enhanced edition]
Google Chrome 15.0.874.5
Microsoft Security Essentials

SomeGuyFromCanada

  • Guest
Re: *NEW* The "Y!Mprovement" Project
« Reply #12 on: August 04, 2011, 07:28:38 pm »
Meh

Moar! Apple Facetime y0h

Offline Adam X

  • Developer
  • Administrator
  • 1337
  • *
  • Posts: I am a geek!!
  • "I can hit a target through a telescope!"
  • Location: Ohio
Re: *NEW* The "Y!Mprovement" Project
« Reply #13 on: August 06, 2011, 01:30:53 am »
The goal of this project is to collect a sizable amount of bugs (mostly within Messenger but server issues too) for submission to the Yahoo! Messenger development team. Obviously, not every bug will be one that is exploitable to cause trouble, either locally or remotely. The main focus, actually, is to get Yahoo! to digest the information more easily, therefore, in theory, increasing the probability that they _may_ fix the issues at hand. Like I've stated several times over the years, you literally have to hold their hand in order for them to patch vulnerabilities and even some bugs that aren't security holes. The aim is to present the information clearly, accurately, in detail (as much as possible), with reproduction steps to demonstrate the issue(s) with an assigned priority/severity level (think Defcon levels).

I'm not against full or partial disclosure, as I already stated previously in my last post, but, this project will keep really bad or critical vulnerabilities private with limited details regarding how to exploit them and how they work at least UNTIL Yahoo! themselves have been contacted first. Contacting the vendor first, in this case Yahoo! Inc., is considered responsible disclosure. If they are unwilling to work with me/us then that's when full or partial disclosure should be employed. These are the standard steps, in that order, that all responsible and considerate security researchers typically adhere to during the process of vulnerability disclosure. For example, the most widely known and used vulnerability mailing list (Full Disclosure, hosted and sponsored by Secunia) @ http://lists.grok.org.uk/full-disclosure-charter.html is populated with researchers (from Bugtraq and many places elsewhere) that more often than not comply with this industry standard procedure. This considerate and responsible disclosure is mainly used by security professionals that are labeled "White hats" as well as some that are "Grey hats". Hackers and researchers that are considered "Black hats" tend to release "0day" exploits without contacting the vendor at all, vulnerabilities that many of which are often severe in nature.

The disclosure policy I've mostly abided by in the past and tend to loosely follow (for serious and critical vulns) is Rain Forest Puppy's (a well known hacker) own policy he created in an attempt to standardize the entire disclosure process. Anybody who is interested in the details can read up on it here...

Short Wiki information on it --> http://en.wikipedia.org/wiki/RFPolicy
Full RFPolicy version 2.0 --> http://web.archive.org/web/20071213205013/http://www.wiretrip.net/rfp/policy.html

Y!Mprovement, in no way, is meant to be a Yahoo! Chat specific Metasploit type of project (which is the largest, open source, exploitation-based framework for penetration testing). The purpose is to improve the Yahoo! Messenger chat client software and the chat servers (which includes voice, webcam, and the others), no exploitation-based framework is being built or hosted here. If I ever do start a pen testing exploitation framework then it will be a separate project entirely, one that would revolve heavily around code reuse that encapsulates both new and already existing exploitation methods and concepts.
« Last Edit: August 06, 2011, 01:57:21 am by Adam »