Cenzic 232 Patent
Paid Advertising
web application security lab

Yahoo SEM Logic Flaw

In the wake of a few different speeches by Jeremiah Grossman and Billy Hoffman on logic flaws, I thought this was pretty appropriate. I got an anonymous message today explaining how an interesting logic flaw popped up in the search engine marketing portion of Yahoo’s website. According to them, the site allows you to send them $30 for future spending with their advertising program, and in return you get $50 free SEM advertising as a promotional offer. The problem lies in the logic.

When a user signs up, the logic should state something like “if money is deposited then give a credit, if not then fail”. Unfortunately, according to them it doesn’t work that way. Regardless if your deposit is valid or not or if it fails or not, it will still credit your account $50. Whoops. I haven’t tested this or tried it, but according to them at least a few people have already been able to use this trick, and of course that’s then tied to spamming or traffic arbitraging.

4 Responses to “Yahoo SEM Logic Flaw”

  1. Yash Kadakia Says:

    I was recently doing an audit on a client’s shopping portal. Half way through the audit we noticed that the clients “reward” mechanism was flawed. It was possible to a user to legitimately earn free points, convert them to money and eventually use it to shop for products..

  2. Felstatsu Says:

    Serious logic error there. Just would take a simple check to find out if the deposit is valid before crediting the money too, but it seems in their haste to get this thing set up they skipped the validation programming and testing parts of the programming process. I can understand tight deadlines, I’ve had plenty of them myself, but there’s no excuse for a problem this big. When I’m given a deadline that it completely unreasonable I renegotiate the project, drop it and let them get someone else, or just don’t deliver it until it works right even if it goes over deadline.

  3. FavBrowser Says:

    I get this all the time:

    An error has occurred while trying to retrieve the data. Please try again later.

  4. Adrian Pastor Says:

    Talking about app logic flaws, you might want to take a look at the following: http://blog.procheckup.com/2008/06/of-pci-dss-and-product-certification.html

    The e-commerce environment requires the user to enter his password before the transaction can be completed (which is great in case the victim’s session has been hijacked). However, once the session ID is stolen, the attacker can go to the “change password” page and change the victim’s password WITHOUT entering the current password. So the attacker simply changes the pass to one of his choice, and then the transaction can be completed since can now “knows” the password.