Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

ITTS012008 - YAHOO WEB MAIL URL REDIR
From: Martin Fallon <mar_fallon () yahoo com br>
Date: Sat, 20 Sep 2008 16:09:42 -0700 (PDT)

INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE

http://www.intruders.com.br/
http://www.intruders.org.br/


ADVISORE/0108 - YAHOO WEB MAIL URL REDIR


PRIORITY: MEDIUM 
TYPE: Client Side


 I - INTRUDERS:
----------------


O Intruders Tiger Team Security is a project from
SecurityLabs (http://www.securitylabs.com.br). It is a group
of researches with more ten years of experience. The group
is expert in penetration tests and special projects like
critic mission.



II - INTRODUCTION:
------------------

Yahoo WEb Mail is one of the greatest web mail system in the internet.
In portuguese, it can be accessed by the url below:

http://mail.yahoo.com.br/



III - DESCRIPTION:
--------------------

Intruders Tiger Team has discovered one condition of URL Redir in the
Yahoo's WEB Mail system that can be exploited in attacks using social
engineer and phishing scams.

The condition of URL Redir can be seen in the follow link:


http://login.yahoo.com/config/exit?.direct=2&.done=http://www.intruders.com.br/&.src=ym&.intl=br&.last=http://br.mail.yahoo.com


The ".done" parameter is interpreted by web mail system AFTER the user login
has been processed. So, automatically the user is redirected for the page
inserted in .done argument.

If the user is already logged, he/she is automatically redirected to
a fake page putted in variable .done.


IV -  ANALISYS
--------------

The proof of concept can be done accessing the follow link:

https://login.yahoo.com/config/login_verify2?.slogin=&.intl=br&.src=ym&.pd=&.bypass=&.partner=&.done=http%3a//login.yahoo.com/config/exit%3f.direct=2%26.done=http%3a//www.intruders.com.br/%26.src=ym%26.intl=br%26.last=http%3a//br.mail.yahoo.com

or

http://login.yahoo.com/config/exit?.direct=2&.done=http://www.intruders.com.br/&.src=ym&.intl=br&.last=http://br.mail.yahoo.com


The user will see the Yahoo authentication form. So, he can log in the system
and after this, he will be automatically redirected to the site in the .done variable,
in the case above, the site is http://www.intruders.com.br/.

Note that it can be exploited in attacks using social engineer where the attacker
could easily forge one fake site and capture vitim's personal informations.


V - DETECTION
-------------

Intruders Tiger Team Security has detected this condiction at least in three idioms
(Portuguese, English and German), but We believe that this problem occurs in all idioms
Yahoo´s web mail system.


VI - WORKAROUND
----------------

It´s possible to detect and block the sending of differents sites from yahoo.com domain
to parameter .done.

We suggest the using of regular expressions in Proxy(Squid) to mitigate this problem.


VI - SOLUCTION
-------------

There is not a soluction until now.


 VI - CRONOLOGY
----------------

09/09/2008 - Vulnerability Discovered.
09/10/2008 - Attempt to contact yahoo - no success.
09/11/2008 - Attempt to contact yahoo - no success.
09/15/2008 - Attempt to contact yahoo - no success.
09/20/2008 - Advisore Published.


VII - CREDITS
--------------

Glaudson Ocampos(Nash Leon) and Intruders Tiger Team
Security has discovery this vulnerability.

Thanks for Ygor da Rocha Parrera, Waldemar Nehgme,
Ismael Rocha, Eduardo Camargo and Pamela Ocampos.


http://www.intruders.com.br/
http://www.intruders.org.br/



      Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com.
http://br.new.mail.yahoo.com/addresses

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault