[Advisory] Phishing Vulnerability in Yahoo Search Engine and Yahoo Network. [Multiple]

[Aditya K Sood <zeroknock () secniche org>]

Hi all

[Advisory 1]

Phishing and Redirection Vulnerability in Yahoo Network
Severity : Critical
Dated : 19 June 2007

Explanation:

A severe redirection and phishing vulnerability have been found in Yahoo
Network. The specific URL linked to any further yahoo website can be
manipulated by the attacker to redirect the traffic and used for
phishing. The critical point is the URL can be called by
third party for phishing.

Example : [Persistent Links]
https://us.ard.yahoo.com/SIG=12gb00bbf/M=341232.9804850.11489914.6055752/D=regst/S=150001465:R2/Y=YAHOO/EXP=1182284104/A=4651436/R=0/SIG=1255of0p5/*http://help.yahoo.com/l/us/yahoo/mail/yahoomail/tools/tools-08.html
http://us.ard.yahoo.com/SIG=12l25b5lf/M=289534.9533254.10260072.9228191/D=sec_cntr/S=565000002:FOOT/Y=YAHOO/EXP=1182284340/A=4080514/R=0/SIG=11lp7krrc/*http://docs.yahoo.com/info/copyright/copyright.html
http://us.ard.yahoo.com/SIG=12l25b5lf/M=289534.9533254.10260072.9228191/D=sec_cntr/S=565000002:FOOT/Y=YAHOO/EXP=1182284340/A=4080514/R=1/SIG=1136qnvkg/*http://docs.yahoo.com/info/terms/
http://us.ard.yahoo.com/SIG=12l25b5lf/M=289534.9533254.10260072.9228191/D=sec_cntr/S=565000002:FOOT/Y=YAHOO/EXP=1182284340/A=4080514/R=3/SIG=134av65kc/*http://feedback.help.yahoo.com/feedback.php?.src=YSEC&.done=http://security.yahoo.com&.form=footer

The network is us.ard.yahoo.com. The vulnerability persist in the
internal redirection directly from website or from third party. the
attacker manipulates it as :

https://us.ard.yahoo.com/SIG=12gb00bbf/M=341232.9804850.11489914.6055752/D=regst/S=150001465:R2/Y=YAHOO/EXP=1182284104/A=4651436/R=0/SIG=1255of0p5/<
 

Rogue WebsiteName>

https://us.ard.yahoo.com/SIG=12gb00bbf/M=341232.9804850.11489914.6055752/D=regst/S=150001465:R2/Y=YAHOO/EXP=1182284104/A=4651436/R=0/SIG=1255of0p5/*http://www.google.com
https://us.ard.yahoo.com/SIG=12gb00bbf/M=341232.9804850.11489914.6055752/D=regst/S=150001465:R2/Y=YAHOO/EXP=1182284104/A=4651436/R=0/SIG=1255of0p5/*http://www.hushmail.com


The whole network is vulnerable to this. It is a virtually manipulated.

Status: Reported and Patched in 24 hours.

=====================================================================================================

[Advisory 2]
Yahoo Search Engine Phishing Vulnerability At Core
Severity : Critical
Dated : 19 June 2007

Explanation:

A severe redirection and phishing vulnerability have been found in Yahoo
Search Network.the links provide for the search to next page can be
manipulated by the phishers to redirect  traffic and used yahoo search
engine for phishing. The vulnerability affects the yahoo search
engine at full.

Example:[Persistent Links]
http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//search.yahoo.com/search%3fp=Hacking%26y=Search%26rd=r1%26meta=vc%253Din%26fr=yfp-t-501%26fp_ip=IN%26xargs=0%26pstart=1%26b=11
http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIzJXNyoA/SIG=14o91b3v5/EXP=1182364963/**http%3a//search.yahoo.com/search%3fp=Hacking%26y=Search%26rd=r1%26meta=vc%253Din%26fr=yfp-t-501%26fp_ip=IN%26xargs=0%26pstart=1%26b=21
http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAJDJXNyoA/SIG=14ods48an/EXP=1182364963/**http%3a//search.yahoo.com/search%3fp=Hacking%26y=Search%26rd=r1%26meta=vc%253Din%26fr=yfp-t-501%26fp_ip=IN%26xargs=0%26pstart=1%26b=31

The above stated URL's are taken from the next page of query set as
"Hacking". the network used is rds.yahoo.com. the phisher exploits it
by  stripping off full yahoo search and appending the rogue website.

[Original URL]
http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//search.yahoo.com/search%3fp=Hacking%26y=Search%26rd=r1%26meta=vc%253Din%26fr=yfp-t-501%26fp_ip=IN%26xargs=0%26pstart=1%26b=11

[Phishing URL]
http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//[PhishingWebsite]
http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//www.google.com

The whole yahoo search engine is vulnerable to this. The problem persist
in the internal linking.

Status : Reported To Yahoo Security. Accepted. Patch is in progress with
robust stature as explained by yahoo security..

=========================================================================================================================

Regards

Aditya K Sood aka Zeroknock
http://www.secniche.org


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/