[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060904041934.2660.qmail@securityfocus.com>
Date: 4 Sep 2006 04:19:34 -0000
From: p3rlhax@...il.com
To: bugtraq@...urityfocus.com
Subject: client side vulnerability in yahoo mail
I. BACKGROUND
Yahoo! Inc. is an American computer services company with a mission to "be
the most essential global Internet service for consumers and businesses". It
operates an Internet portal, including the popular Yahoo! Mail. The global network of Yahoo! websites received
3.4 billion page views per day on average as of October 2005.
Yahoo mail services are vulnerable to information leakage and authentication bypass which is caused due to improper caching of pages by the browser.
II. DESCRIPTION
Yahoo has an interesting approach where, within a valid browser session the pages can be viewed from the cache but after log out the back button cannot be used to view pages. This is achieved by setting the cache-control directive to private (Cache-Control:private), that allows caching of pages in the private cache on the browser. However each page has a javascript that checks a random value in a cookie, that is set at login and cleared at logout. If the value is not found then there is a redirect to the main login page. The presence of this value indicates a valid active session.
e.g
if(document.cookie != "" && document.cookie.indexOf("zI0XEB") == -1)
{
window.open("http://mail.yahoo.com", "_top");
}
During valid sessions yahoo sets a cookie T= zI0XEB<random data>
As this cookie is cleared at logout the back button takes you to the page but the above script redirects you to the main login page.
III. ANALYSIS
One work around the above scheme, is if we disable javascript after a valid session log out, and then try to hit the back button. What is observed is that the page is rendered very briefly before it detects that javascript has been disabled and redirects you to another page. However the window is long enough to catch a glimpse of the previous users private data.
e.g
<noscript>
<META HTTP-EQUIV=Refresh CONTENT="0; URL=/ym/login?nojs=1">
</noscript>
Various tools can be used to intercept the redirect and cached private data of previous users can be viewed without login.
IV. DETECTION
Yahoo mail has been confirmed vulnerable.
V. WORKAROUND
Cenzic is currently unaware of any effective workarounds that can be implemented on the server in order to mitigate the risk of this vulnerability; however, there are workarounds available for client protection. Clients could disable caching of pages at the browser. This will prevent any pages from being cached and view later. Take note that employing this workaround could adversely affect browsing experience. The cache could also be cleared after browsing.
VI. VENDOR RESPONSE
Vendor claims to be working on the problem.
VII. CVE INFORMATION
VIII. DISCLOSURE TIMELINE
7/7/06 Initial vendor notification
??/??/??Initial vendor response
??/??/??Coordinated public disclosure
IX. CREDIT
Kishor Datar and Avinash Shenoi
X. LEGAL NOTICES
Copyright ©
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Cenzic. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please email for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Powered by blists - more mailing lists