mailing list archives
ITTS012008 - YAHOO WEB MAIL URL REDIR
From: Martin Fallon <mar_fallon () yahoo com br>
Date: Sat, 20 Sep 2008 16:09:42 -0700 (PDT)
INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE
ADVISORE/0108 - YAHOO WEB MAIL URL REDIR
TYPE: Client Side
I - INTRUDERS:
O Intruders Tiger Team Security is a project from
SecurityLabs (http://www.securitylabs.com.br). It is a group
of researches with more ten years of experience. The group
is expert in penetration tests and special projects like
II - INTRODUCTION:
Yahoo WEb Mail is one of the greatest web mail system in the internet.
In portuguese, it can be accessed by the url below:
III - DESCRIPTION:
Intruders Tiger Team has discovered one condition of URL Redir in the
Yahoo's WEB Mail system that can be exploited in attacks using social
engineer and phishing scams.
The condition of URL Redir can be seen in the follow link:
The ".done" parameter is interpreted by web mail system AFTER the user login
has been processed. So, automatically the user is redirected for the page
inserted in .done argument.
If the user is already logged, he/she is automatically redirected to
a fake page putted in variable .done.
IV - ANALISYS
The proof of concept can be done accessing the follow link:
The user will see the Yahoo authentication form. So, he can log in the system
and after this, he will be automatically redirected to the site in the .done variable,
in the case above, the site is http://www.intruders.com.br/.
Note that it can be exploited in attacks using social engineer where the attacker
could easily forge one fake site and capture vitim's personal informations.
V - DETECTION
Intruders Tiger Team Security has detected this condiction at least in three idioms
(Portuguese, English and German), but We believe that this problem occurs in all idioms
Yahoo´s web mail system.
VI - WORKAROUND
It´s possible to detect and block the sending of differents sites from yahoo.com domain
to parameter .done.
We suggest the using of regular expressions in Proxy(Squid) to mitigate this problem.
VI - SOLUCTION
There is not a soluction until now.
VI - CRONOLOGY
09/09/2008 - Vulnerability Discovered.
09/10/2008 - Attempt to contact yahoo - no success.
09/11/2008 - Attempt to contact yahoo - no success.
09/15/2008 - Attempt to contact yahoo - no success.
09/20/2008 - Advisore Published.
VII - CREDITS
Glaudson Ocampos(Nash Leon) and Intruders Tiger Team
Security has discovery this vulnerability.
Thanks for Ygor da Rocha Parrera, Waldemar Nehgme,
Ismael Rocha, Eduardo Camargo and Pamela Ocampos.
Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- ITTS012008 - YAHOO WEB MAIL URL REDIR Martin Fallon (Sep 20)