Full Disclosure mailing list archives
ITTS012008 - YAHOO WEB MAIL URL REDIR
From: Martin Fallon <mar_fallon () yahoo com br>
Date: Sat, 20 Sep 2008 16:09:42 -0700 (PDT)
INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE http://www.intruders.com.br/ http://www.intruders.org.br/ ADVISORE/0108 - YAHOO WEB MAIL URL REDIR PRIORITY: MEDIUM TYPE: Client Side I - INTRUDERS: ---------------- O Intruders Tiger Team Security is a project from SecurityLabs (http://www.securitylabs.com.br). It is a group of researches with more ten years of experience. The group is expert in penetration tests and special projects like critic mission. II - INTRODUCTION: ------------------ Yahoo WEb Mail is one of the greatest web mail system in the internet. In portuguese, it can be accessed by the url below: http://mail.yahoo.com.br/ III - DESCRIPTION: -------------------- Intruders Tiger Team has discovered one condition of URL Redir in the Yahoo's WEB Mail system that can be exploited in attacks using social engineer and phishing scams. The condition of URL Redir can be seen in the follow link: http://login.yahoo.com/config/exit?.direct=2&.done=http://www.intruders.com.br/&.src=ym&.intl=br&.last=http://br.mail.yahoo.com The ".done" parameter is interpreted by web mail system AFTER the user login has been processed. So, automatically the user is redirected for the page inserted in .done argument. If the user is already logged, he/she is automatically redirected to a fake page putted in variable .done. IV - ANALISYS -------------- The proof of concept can be done accessing the follow link: https://login.yahoo.com/config/login_verify2?.slogin=&.intl=br&.src=ym&.pd=&.bypass=&.partner=&.done=http%3a//login.yahoo.com/config/exit%3f.direct=2%26.done=http%3a//www.intruders.com.br/%26.src=ym%26.intl=br%26.last=http%3a//br.mail.yahoo.com or http://login.yahoo.com/config/exit?.direct=2&.done=http://www.intruders.com.br/&.src=ym&.intl=br&.last=http://br.mail.yahoo.com The user will see the Yahoo authentication form. So, he can log in the system and after this, he will be automatically redirected to the site in the .done variable, in the case above, the site is http://www.intruders.com.br/. Note that it can be exploited in attacks using social engineer where the attacker could easily forge one fake site and capture vitim's personal informations. V - DETECTION ------------- Intruders Tiger Team Security has detected this condiction at least in three idioms (Portuguese, English and German), but We believe that this problem occurs in all idioms Yahoo´s web mail system. VI - WORKAROUND ---------------- It´s possible to detect and block the sending of differents sites from yahoo.com domain to parameter .done. We suggest the using of regular expressions in Proxy(Squid) to mitigate this problem. VI - SOLUCTION ------------- There is not a soluction until now. VI - CRONOLOGY ---------------- 09/09/2008 - Vulnerability Discovered. 09/10/2008 - Attempt to contact yahoo - no success. 09/11/2008 - Attempt to contact yahoo - no success. 09/15/2008 - Attempt to contact yahoo - no success. 09/20/2008 - Advisore Published. VII - CREDITS -------------- Glaudson Ocampos(Nash Leon) and Intruders Tiger Team Security has discovery this vulnerability. Thanks for Ygor da Rocha Parrera, Waldemar Nehgme, Ismael Rocha, Eduardo Camargo and Pamela Ocampos. http://www.intruders.com.br/ http://www.intruders.org.br/ Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. http://br.new.mail.yahoo.com/addresses _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ITTS012008 - YAHOO WEB MAIL URL REDIR Martin Fallon (Sep 20)
- Re: ITTS012008 - YAHOO WEB MAIL URL REDIR Nick FitzGerald (Sep 20)