
Dumping Yahoo authentication secrets with an out-of-bounds read - scarybeast
https://scarybeastsecurity.blogspot.com/2017/05/bleed-more-powerful-dumping-yahoo.html
======
smaili
For those wondering, this issue (referred to as YB2 or Yahoobleed #2 by the
author) has _already been fixed_ by Yahoo:

> Yahoo! fixed YB2 at the same time as YB1, by retiring ImageMagick.

~~~
scarybeast
FWIW, I've been very impressed with how Yahoo! handled this disclosure.

------
scarybeast
This is YB (Yahoobleed) #2. You might also enjoy YB #1: "*bleed continues: 18
byte file, $14k bounty, for leaking private Yahoo! Mail images":
[https://scarybeastsecurity.blogspot.com/2017/05/bleed-
contin...](https://scarybeastsecurity.blogspot.com/2017/05/bleed-
continues-18-byte-file-14k-bounty.html)

------
mdani
What is pointer visualization?

~~~
logicallee

      Neo stares at the endlessly shifting river of
      information, bizarre codes and equations flowing across
      the face of the monitor.
    
      NEO
      Do you always look at it encoded?
    
      CYPHER
      Have to. You have no idea what the
      server is running - there's way too
      much information to decode the Yahoo.
      You get used to it, though.  Your brain
      does the translating.  I don't even
      see the code.  All I see is "pointer",
      "string  compare", "function call".
      You want a drink?

