Paid Advertising
web application security lab
« The Internet’s Original Sin
Extortion or Payment »

Yahoo Login Redirect Information Leakage

Behind in email again, I’m finally getting around to some older email (don’t be hurt if I don’t respond right away, my inbox is the bane of my existence). Gianni Amato sent me an interesting email the other day showing how Yahoo’s login redirection can be abused to steal the real name, the Yahoo email address and the email address used to register the account through a simple redirection:

Click here so you can see the string (if you aren’t already logged into Yahoo it will request that you do). After going through the Yahoo script the string “.data” is appended, which is a base 64 encoded string which you can decode here. Inside that string, as you can see, is the email addresses associated with the user, as well as the username of the victim. This would be particularly useful if the user is already logged into Yahoo (where they don’t have to log in). Just set up an iframe through an XSS vuln on any site, and steal user’s information.

This is a classic case where a simple mis-used redirection can be used for something far more nefarious. Redirects are just never a good idea. Anyway, great find by Gianni!

This entry was posted on Sunday, March 4th, 2007 at 4:05 pm and is filed under XSS, Webappsec. You can leave a response as well.

5 Responses to “Yahoo Login Redirect Information Leakage”

  1. Delixe Says:
    March 4th, 2007 at 7:15 pm

    Wow that’s really interesting, I tested it and works like a charm.

    This is scary not just because you can generate a spam list but you can acquire first and last names of people and make your spam more legitimate.

    For example:
    Dear Ryan Bentkowski, PayPal has recently required you to please send your password through email to us: paypal@yahoo.com.

    That could be really bad, must be legit right? A spammer doesn’t know your first or last name right? At least Ryan thinks so :P

    Well done yahoo =)

  2. dusoft Says:
    March 5th, 2007 at 3:00 am

    does anyone know, why I have prefilled weird characters as name, mal and the website in the comment form here?

    name: YcZwocPj8KcNmPkVPmc0iZped9Coudx2fn-ZFutEr7M.
    email: vn4VEycfjHkTAszctfFPMMfRMQlhH1rT6hIoeqKXw16nM1WmM75az1ccKZ–nt3l
    website: http://4Hq-VGT1orH5YZ_aFOEqzykMX3-1hthk4RyeR1oH3m69pPOUt1TzoQirDy3VgrVE

  3. RSnake Says:
    March 5th, 2007 at 8:35 am

    It has something to do with how the wordpress upgrade went. Yet another reason I’m going to discontinue upgrading going forward and instead I’ll be creating a divergent fork of the code. I’m tired of all these vulnerabilities and senseless UI upgrades that only make writing harder.

  4. VK Says:
    March 9th, 2007 at 8:39 am

    is it fixed?

  5. RSnake Says:
    March 9th, 2007 at 9:01 am

    Looks like it is fixed. Thanks for the head’s up, VK.

Respond here or Discuss On the Forums