T 4.11 Lack of authentication possibilities between NIS server and NIS client
If the NIS domain name is known, every computer can be registered as client and all NIS maps, particularly the passwd map, can be retrieved.
If it is possible to gain administration rights on a computer, this computer can be used to start an NIS server process (ypserv) on a privileged port. If you now restart the client process ypbind on the computer to be infiltrated and ensure that your server process answers before the proper NIS server does, any information can be copied to the client.