lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <467C0228.7080402@secniche.org>
Date: Fri, 22 Jun 2007 10:08:56 -0700
From: Aditya K Sood <zeroknock@...niche.org>
To: full-disclosure@...ts.grok.org.uk,  bugtraq@...urityfocus.com, 
	websecurity@...appsec.org
Subject: [Advisory] Phishing Vulnerability in Yahoo Search
 Engine and Yahoo Network. [Multiple]

Hi all

[Advisory 1]

Phishing and Redirection Vulnerability in Yahoo Network
Severity : Critical
Dated : 19 June 2007

Explanation:

A severe redirection and phishing vulnerability have been found in Yahoo
Network. The specific URL linked to any further yahoo website can be
manipulated by the attacker to redirect the traffic and used for
phishing. The critical point is the URL can be called by
third party for phishing.

Example : [Persistent Links]
https://us.ard.yahoo.com/SIG=12gb00bbf/M=341232.9804850.11489914.6055752/D=regst/S=150001465:R2/Y=YAHOO/EXP=1182284104/A=4651436/R=0/SIG=1255of0p5/*http://help.yahoo.com/l/us/yahoo/mail/yahoomail/tools/tools-08.html
http://us.ard.yahoo.com/SIG=12l25b5lf/M=289534.9533254.10260072.9228191/D=sec_cntr/S=565000002:FOOT/Y=YAHOO/EXP=1182284340/A=4080514/R=0/SIG=11lp7krrc/*http://docs.yahoo.com/info/copyright/copyright.html
http://us.ard.yahoo.com/SIG=12l25b5lf/M=289534.9533254.10260072.9228191/D=sec_cntr/S=565000002:FOOT/Y=YAHOO/EXP=1182284340/A=4080514/R=1/SIG=1136qnvkg/*http://docs.yahoo.com/info/terms/
http://us.ard.yahoo.com/SIG=12l25b5lf/M=289534.9533254.10260072.9228191/D=sec_cntr/S=565000002:FOOT/Y=YAHOO/EXP=1182284340/A=4080514/R=3/SIG=134av65kc/*http://feedback.help.yahoo.com/feedback.php?.src=YSEC&.done=http://security.yahoo.com&.form=footer

The network is us.ard.yahoo.com. The vulnerability persist in the
internal redirection directly from website or from third party. the
attacker manipulates it as :

https://us.ard.yahoo.com/SIG=12gb00bbf/M=341232.9804850.11489914.6055752/D=regst/S=150001465:R2/Y=YAHOO/EXP=1182284104/A=4651436/R=0/SIG=1255of0p5/< 

Rogue WebsiteName>

https://us.ard.yahoo.com/SIG=12gb00bbf/M=341232.9804850.11489914.6055752/D=regst/S=150001465:R2/Y=YAHOO/EXP=1182284104/A=4651436/R=0/SIG=1255of0p5/*http://www.google.com
https://us.ard.yahoo.com/SIG=12gb00bbf/M=341232.9804850.11489914.6055752/D=regst/S=150001465:R2/Y=YAHOO/EXP=1182284104/A=4651436/R=0/SIG=1255of0p5/*http://www.hushmail.com


The whole network is vulnerable to this. It is a virtually manipulated.

Status: Reported and Patched in 24 hours.

=====================================================================================================

[Advisory 2]
Yahoo Search Engine Phishing Vulnerability At Core
Severity : Critical
Dated : 19 June 2007

Explanation:

A severe redirection and phishing vulnerability have been found in Yahoo
Search Network.the links provide for the search to next page can be
manipulated by the phishers to redirect  traffic and used yahoo search
engine for phishing. The vulnerability affects the yahoo search
engine at full.

Example:[Persistent Links]
http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//search.yahoo.com/search%3fp=Hacking%26y=Search%26rd=r1%26meta=vc%253Din%26fr=yfp-t-501%26fp_ip=IN%26xargs=0%26pstart=1%26b=11
http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIzJXNyoA/SIG=14o91b3v5/EXP=1182364963/**http%3a//search.yahoo.com/search%3fp=Hacking%26y=Search%26rd=r1%26meta=vc%253Din%26fr=yfp-t-501%26fp_ip=IN%26xargs=0%26pstart=1%26b=21
http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAJDJXNyoA/SIG=14ods48an/EXP=1182364963/**http%3a//search.yahoo.com/search%3fp=Hacking%26y=Search%26rd=r1%26meta=vc%253Din%26fr=yfp-t-501%26fp_ip=IN%26xargs=0%26pstart=1%26b=31

The above stated URL's are taken from the next page of query set as
"Hacking". the network used is rds.yahoo.com. the phisher exploits it
by  stripping off full yahoo search and appending the rogue website.

[Original URL]
http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//search.yahoo.com/search%3fp=Hacking%26y=Search%26rd=r1%26meta=vc%253Din%26fr=yfp-t-501%26fp_ip=IN%26xargs=0%26pstart=1%26b=11

[Phishing URL]
http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//[PhishingWebsite]
http://rds.yahoo.com/_ylt=A0geu4qjI3hGYOEAIjJXNyoA/SIG=14oi6m38j/EXP=1182364963/**http%3a//www.google.com

The whole yahoo search engine is vulnerable to this. The problem persist
in the internal linking.

Status : Reported To Yahoo Security. Accepted. Patch is in progress with
robust stature as explained by yahoo security..

=========================================================================================================================

Regards

Aditya K Sood aka Zeroknock
http://www.secniche.org


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ