April 29th, 2004 04:50 AM
Yahoo Authentication Vulnerability
While I was browsing, I stubled upon a Yahoo! authentication script injection vulnerability
By this we can inject our own scripts into just after authentication.
The below link illustrates an example of a script injection where u get the authentication code cookie for the particular user.
I request u to try it out...
U can test it here .
I've a doubt...
What do I do with the code shown up as our authentication code...
What is the use if I get the code ??
With the help of the code persumably, I can log on to yahoo into the particular without my username or password... How do I do it ??... How can it be related with cookie... I'm totally confused
Can anyone give a bit detailed explanation ??
Thank u v'much.
April 29th, 2004 05:06 AM
this looks kinda suspicious to me..........
after looking at it, it almost seems like a ploy to get peoples yahoo accounts.....
however if you go to the root directory of the page given it seems legitamet....
April 29th, 2004 05:54 AM
Did they already fix it? I cant get it to work in Firefox or IE. It doesnt seem like they could do much with the cookie/code anyway. I would assume it is encrypted and it is only valid for a certain amount of time or maybe even only valid for a certian IP address?
April 29th, 2004 06:18 AM
Evidently this is working properly. On the page linked above at ZapTheDingBats.com is the following code:
And it shows up again on the yahoo page (which is legitimately a yahoo page):
<form method="POST" action="https://login.yahoo.com/config/login">
<input type="submit" class="submit" value="Test Exploit"/>
It is indeed posted to the yahoo secure login page, which is also again forwarding you on login success.
The yahoo page posts the data to the following url:
For those untrusting, save a copy of the zapthedingbat page locally, and change the following line:
1. They don't check the referring url is from their domains.
2. They check for raw <script> tags, and ' and ", however they don't check for the unicode values of those things, and when the location is rewritten to the browser, %22 is literally re-sent (and translated into "). Some simple unicode filtration would pretty well shut this vulnerability down.
No, it isn't a scam, but they may be using this vulnerability to collect passwords, so I'd encourage anyone playing with this to work from a copy of the script with the modifications I put above.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
April 29th, 2004 03:03 PM
"people fear what they don't understand" i withdraw my past post in the thread....