client side vulnerability in yahoo mail
I. BACKGROUND
Yahoo! Inc. is an American computer services company with a mission to "be
the most essential global Internet service for consumers and businesses". It
operates an Internet portal, including the popular Yahoo! Mail. The global
network of Yahoo! websites received
3.4 billion page views per day on average as of October 2005.
Yahoo mail services are vulnerable to information leakage and authentication
bypass which is caused due to improper caching of pages by the browser.
II. DESCRIPTION
Yahoo has an interesting approach where, within a valid browser session the
pages can be viewed from the cache but after log out the back button cannot be
used to view pages. This is achieved by setting the cache-control directive to
private (Cache-Control:private), that allows caching of pages in the private
cache on the browser. However each page has a javascript that checks a random
value in a cookie, that is set at login and cleared at logout. If the value is
not found then there is a redirect to the main login page. The presence of this
value indicates a valid active session.
e.g
if(document.cookie != "" && document.cookie.indexOf("zI0XEB") == -1)
{
window.open("http://mail.yahoo.com";, "_top");
}
During valid sessions yahoo sets a cookie T= zI0XEB<random data>
As this cookie is cleared at logout the back button takes you to the page but
the above script redirects you to the main login page.
III. ANALYSIS
One work around the above scheme, is if we disable javascript after a valid
session log out, and then try to hit the back button. What is observed is that
the page is rendered very briefly before it detects that javascript has been
disabled and redirects you to another page. However the window is long enough
to catch a glimpse of the previous users private data.
e.g
<noscript>
<META HTTP-EQUIV=Refresh CONTENT="0; URL=/ym/login?nojs=1">
</noscript>
Various tools can be used to intercept the redirect and cached private data of
previous users can be viewed without login.
IV. DETECTION
Yahoo mail has been confirmed vulnerable.
V. WORKAROUND
Cenzic is currently unaware of any effective workarounds that can be
implemented on the server in order to mitigate the risk of this vulnerability;
however, there are workarounds available for client protection. Clients could
disable caching of pages at the browser. This will prevent any pages from being
cached and view later. Take note that employing this workaround could adversely
affect browsing experience. The cache could also be cleared after browsing.
VI. VENDOR RESPONSE
Vendor claims to be working on the problem.
VII. CVE INFORMATION
VIII. DISCLOSURE TIMELINE
7/7/06 Initial vendor notification
??/??/??Initial vendor response
??/??/??Coordinated public disclosure
IX. CREDIT
Kishor Datar and Avinash Shenoi
X. LEGAL NOTICES
Copyright ©
Permission is granted for the redistribution of this alert electronically. It
may not be edited in any way without the express written consent of Cenzic. If
you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please email
for permission.
Disclaimer: The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect, or consequential loss
or damage arising from use of, or reliance on, this information.