Cenzic 232 Patent
Paid Advertising
web application security lab

CSRF Adds Your Feed To my.yahoo.com

In all the recent waves of RSS hacks, I thought I’d toss in another. This isn’t breaking in using RSS, but it is a method to get people to add your feed automatically. Yahoo is vulnerable to cross site request forgeries (CSRF) for logged in users to automatically add your RSS feed to their page:

Here are the steps, make sure you are logged into my.yahoo.com, then go to this page to automatically add sla.ckers.org (our new forums site) to your RSS feeds in my.yahoo.com (it may take a few seconds to show up in your account).

CSRF can enable a lot of things, and combined with additional exploitation it could be really nasty. At a minimum you can get your content on their pages, which could be very interesting. This could also help build up more traffic over time in organic traffic if you happen to run a news site or something that looks like it should belong there. It’s pretty easy to detect this and stop it, but at the moment it works.

2 Responses to “CSRF Adds Your Feed To my.yahoo.com”

  1. Legionnaire Says:

    Haha that’s why Google has this annoying confirmation every time you want to add a feed :P

  2. Dan Says:

    Very intresting, thanks for the tip!