Yahoo! Messenger Auth Bypass Vulnerability

[kishor.tech@xxxxxxxxx]

This advisory is being provided to you under the policy documented at 
http://www.wiretrip.net/rfp/policy.html. 
You are encouraged to read this policy; however, in the interim, you have 
approximately 5 days to respond to this initial email. 
This policy encourages open communication, and I look forward to working with 
you on resolving the problem detailed below.

-------------------------------------------------------------------------------------------------

I. BACKGROUND

Yahoo! Inc. is an American computer services company with a mission to
"be the most essential global Internet service for consumers and businesses".
It operates an Internet portal, including the popular Yahoo! Mail.
The global network of Yahoo! websites received 3.4 billion page views per day
on average as of October 2005.

Yahoo mail services when accessed via Yahoo! messenger are vulnerable to
information leakage and authentication bypass which is caused due to
improper caching of pages by the browser.


II. DESCRIPTION

When a user receives a new email, Yahoo messenger lets the user click a button 
to open his
mail account in the browser. During this process, it uses a URL to login to 
yahoo. This
url then redirects the user to his mail box.

The URL mentioned above is not tied with a session (Same URL can be used any 
number of times).

Response to this URL does not specify that the browser should not keep its 
entry in the cache.
Therefore, even after the user logs out of both messenger and email account, 
the URL entry
still remains in the browser cache. Even after restarting the browser, this URL 
can be retrieved
from the cache.

Malicious users can easily access browser cache and grab this URL. He can thus 
login to
victim's Yahoo account without needing his credentials.

The URL looks like following
http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=XXXXXXXX&.t=T=z=YYYYYYYYYYYY&.ver=2&.done=http%3a//us.rd.yahoo.com/messenger/client/%3fhttp%3a//mail.yahoo.com/

III. ANALYSIS

Successful exploitation of this vulnerability would allow an attacker to get 
ACTIVE
access to victim's account. Attacker can therefore impersonate the victim and
misuse the account.

IV. DETECTION

Latest version of Yahoo! messenger is found vulnerable.

V. WORKAROUND

Response to the URL mentioned above should not get cached and should not remain 
in the
cache record of the browser.

This URL should be requested over secure http in order to avoid leaking of the 
URL at
several intermediate caches.

VI. VENDOR RESPONSE
??

VII. CVE INFORMATION
??

VIII. DISCLOSURE TIMELINE

11/22/2006 Initial vendor notification

??/??/??Initial vendor response

??/??/??Coordinated public disclosure

IX. CREDIT

Kishor Datar ( kishor [_a_t_] cenzic.com )
Cenzic Inc.

X. REFERENCES
Rajesh Sethumadhavan
http://searchsecurity.discussions.techtarget.com/WebX?233@xxxxxxxxxxxxxxxxx@.ee84078/463!enclosure=.1dd0ab61

XI. LEGAL NOTICES

Copyright ©

Permission is granted for the redistribution of this alert electronically. It 
may not be edited
in any way without the express written consent of Cenzic. If you wish to 
reprint the whole or
any part of this alert in any other medium other than electronically, please 
email for permission.

Disclaimer: The information in the advisory is believed to be accurate at the 
time of publishing
based on currently available information. Use of the information constitutes 
acceptance for use
in an AS IS condition. There are no warranties with regard to this information. 
Neither the author
nor the publisher accepts any liability for any direct, indirect, or 
consequential loss or damage
arising from use of, or reliance on, this information.