Yahoo! Messenger Auth Bypass Vulnerability
This advisory is being provided to you under the policy documented at
http://www.wiretrip.net/rfp/policy.html.
You are encouraged to read this policy; however, in the interim, you have
approximately 5 days to respond to this initial email.
This policy encourages open communication, and I look forward to working with
you on resolving the problem detailed below.
-------------------------------------------------------------------------------------------------
I. BACKGROUND
Yahoo! Inc. is an American computer services company with a mission to
"be the most essential global Internet service for consumers and businesses".
It operates an Internet portal, including the popular Yahoo! Mail.
The global network of Yahoo! websites received 3.4 billion page views per day
on average as of October 2005.
Yahoo mail services when accessed via Yahoo! messenger are vulnerable to
information leakage and authentication bypass which is caused due to
improper caching of pages by the browser.
II. DESCRIPTION
When a user receives a new email, Yahoo messenger lets the user click a button
to open his
mail account in the browser. During this process, it uses a URL to login to
yahoo. This
url then redirects the user to his mail box.
The URL mentioned above is not tied with a session (Same URL can be used any
number of times).
Response to this URL does not specify that the browser should not keep its
entry in the cache.
Therefore, even after the user logs out of both messenger and email account,
the URL entry
still remains in the browser cache. Even after restarting the browser, this URL
can be retrieved
from the cache.
Malicious users can easily access browser cache and grab this URL. He can thus
login to
victim's Yahoo account without needing his credentials.
The URL looks like following
http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=XXXXXXXX&.t=T=z=YYYYYYYYYYYY&.ver=2&.done=http%3a//us.rd.yahoo.com/messenger/client/%3fhttp%3a//mail.yahoo.com/
III. ANALYSIS
Successful exploitation of this vulnerability would allow an attacker to get
ACTIVE
access to victim's account. Attacker can therefore impersonate the victim and
misuse the account.
IV. DETECTION
Latest version of Yahoo! messenger is found vulnerable.
V. WORKAROUND
Response to the URL mentioned above should not get cached and should not remain
in the
cache record of the browser.
This URL should be requested over secure http in order to avoid leaking of the
URL at
several intermediate caches.
VI. VENDOR RESPONSE
??
VII. CVE INFORMATION
??
VIII. DISCLOSURE TIMELINE
11/22/2006 Initial vendor notification
??/??/??Initial vendor response
??/??/??Coordinated public disclosure
IX. CREDIT
Kishor Datar ( kishor [_a_t_] cenzic.com )
Cenzic Inc.
X. REFERENCES
Rajesh Sethumadhavan
http://searchsecurity.discussions.techtarget.com/WebX?233@xxxxxxxxxxxxxxxxx@.ee84078/463!enclosure=.1dd0ab61
XI. LEGAL NOTICES
Copyright ©
Permission is granted for the redistribution of this alert electronically. It
may not be edited
in any way without the express written consent of Cenzic. If you wish to
reprint the whole or
any part of this alert in any other medium other than electronically, please
email for permission.
Disclaimer: The information in the advisory is believed to be accurate at the
time of publishing
based on currently available information. Use of the information constitutes
acceptance for use
in an AS IS condition. There are no warranties with regard to this information.
Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage
arising from use of, or reliance on, this information.