mailing list archives
Yahoo Open Redirect Vulnerability - or "Designing vulnerabilities"
From: Robert Kugler <robert.kugler10 () gmail com>
Date: Wed, 27 Nov 2013 19:33:05 +0100
I'm Robert Kugler a 17-year-old German student.
In the past I took part in a variety of bug bounty programs. I helped
Mozilla,PayPal, AVAST Software and Microsoft (to name a few) by reporting
Now I tried to participate in Yahoo's bug bounty program and sent them a
range of discovered open redirect vulnerabilities, because they especially
state they are eligible for a bounty. I took one of the last emails from
Yahoo to show you the problem. It's not a critical vulnerability like XSS
or RCE. Nevertheless the flaw will damage Yahoo's reputation if it's abused
by spammers, because the link seems to direct the user to Yahoo's
This link will redirect you to any site you want, phishing sites, exploit
*Now Yahoo's point of view:*
Thank you for your submission to Yahoo! We are aware of this functionality
on our site and it is working as designed. Please continue to send us
Yahoo Security Contact"
Designed for cybercriminals! This kind of vulnerability isn't new to
"...According to E Hacking News, the cybercriminals have also leveraged a
similar vulnerability in a Yahoo domain to trick users into thinking that
the links point to a trusted website...." (07.06.2013)
I hope this will change Yahoo's opinion!
Be careful & stay safe!
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Yahoo Open Redirect Vulnerability - or "Designing vulnerabilities" Robert Kugler (Nov 27)