Student security researcher Jing Wang from School of Physical and Mathematical Science at Nanyang Technological University, Singapore, has found new security vulnerabilities related to Yahoo.
After reporting several Open Redirect vulnerabilities to Yahoo. Yahoo’s responses were “It is working as designed". It seems that Yahoo do not take the vulnerabilities seriously at all.
Based on Wang’s report on Full Disclosure “Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo’s responses were “this intended behavior". However, these vulnerabilities were patched later."
The vulnerability of Yahoo occurs at “ard.yahoo.com" page. While the vulnerability of Yahoo Japan happens at sensitive page “http://order.store.yahoo.co.jp".
Proof of concept on YouTube were also released to illustrate exploits.
(1)Yahoo Open Redirect
(2)Yahoo Japan Open Redirect
In fact, Yahoo’s users were attacked based on redirection this year. Base on CNET on January 4, 2014, “Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware. "
Wang wrote that the attack could work without a user being logged in. And his tests were using Firefox (33.0) in Ubuntu (14.04) and IE (10.0.9200.16521) in Windows 8.
Redirect can ensure a good user experience. However, if it is not properly provided. Attackers can use this to trick users. This is common in Phishing attacks and Spams.
On 21 December, 2014. Yahoo.com’s Alexa ranking is 4. While Yahoo.co.jp’s Alexa ranking is 17. Both of them are very popular around the world. From Wikipedia, “Yahoo during July 2013 surpassed Google on the number of United States visitors to its Web sites for the first time since May 2011, set at 196 million United States visitors, having increased by 21 percent in a year."
Open redirect is listed in OWASP top 10. The general consensus of it is “avoiding such flaws is extremely important, as they are a favorite target of phishers trying to gain the user’s trust."