Yahoo! Messenger Auth Bypass Vulnerability


This advisory is being provided to you under the policy documented at http://www.wiretrip.net/rfp/policy.html. You are encouraged to read this policy; however, in the interim, you have approximately 5 days to respond to this initial email. This policy encourages open communication, and I look forward to working with you on resolving the problem detailed below. ------------------------------------------------------------------------------------------------- I. BACKGROUND Yahoo! Inc. is an American computer services company with a mission to "be the most essential global Internet service for consumers and businesses". It operates an Internet portal, including the popular Yahoo! Mail. The global network of Yahoo! websites received 3.4 billion page views per day on average as of October 2005. Yahoo mail services when accessed via Yahoo! messenger are vulnerable to information leakage and authentication bypass which is caused due to improper caching of pages by the browser. II. DESCRIPTION When a user receives a new email, Yahoo messenger lets the user click a button to open his mail account in the browser. During this process, it uses a URL to login to yahoo. This url then redirects the user to his mail box. The URL mentioned above is not tied with a session (Same URL can be used any number of times). Response to this URL does not specify that the browser should not keep its entry in the cache. Therefore, even after the user logs out of both messenger and email account, the URL entry still remains in the browser cache. Even after restarting the browser, this URL can be retrieved from the cache. Malicious users can easily access browser cache and grab this URL. He can thus login to victim's Yahoo account without needing his credentials. The URL looks like following http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=XXXXXXXX&.t=T=z=YYYYYYYYYYYY&.ver=2&.done=http%3a//us.rd.yahoo.com/messenger/client/%3fhttp%3a//mail.yahoo.com/ III. ANALYSIS Successful exploitation of this vulnerability would allow an attacker to get ACTIVE access to victim's account. Attacker can therefore impersonate the victim and misuse the account. IV. DETECTION Latest version of Yahoo! messenger is found vulnerable. V. WORKAROUND Response to the URL mentioned above should not get cached and should not remain in the cache record of the browser. This URL should be requested over secure http in order to avoid leaking of the URL at several intermediate caches. VI. VENDOR RESPONSE ?? VII. CVE INFORMATION ?? VIII. DISCLOSURE TIMELINE 11/22/2006 Initial vendor notification ??/??/??Initial vendor response ??/??/??Coordinated public disclosure IX. CREDIT Kishor Datar ( kishor [_a_t_] cenzic.com ) Cenzic Inc. X. REFERENCES Rajesh Sethumadhavan http://searchsecurity.discussions.techtarget.com/WebX?233@144.LOkddTi3nsW.0@.ee84078/463!enclosure=.1dd0ab61 XI. LEGAL NOTICES Copyright © Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Cenzic. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.