TUCoPS :: Password Security :: yahoo!1.txt

Yahoo! News Ticker installation leaves plaintext userid & password in a log file!


Application:   Yahoo! NEWS TICKER
Platforms  :   Win95,98,NT


The installation process of the Yahoo! NEWS TICKER 
leaves a file name "install.log" in the program 
directory.  The file contains plaintext userid and 

The installation process also sets registry entries 
under hkey_local_machine/software/netcontrols/ticker  
that contain the plaintext userID and password.

Each yahoo account uses the same password/userid for 
all parts including auctions, news,, 
classifieds, and most importantly, EMAIL!!!!

this is an independant finding not a release by Yahoo!.

Advisory by CSB   24MARCH99

<end of transmission>

