client side vulnerability in yahoo mail





I. BACKGROUND
Yahoo! Inc. is an American computer services company with a mission to "be
the most essential global Internet service for consumers and businesses". It
operates an Internet portal, including the popular Yahoo! Mail. The global network of Yahoo! websites received
3.4 billion page views per day on average as of October 2005.

Yahoo mail services are vulnerable to information leakage and authentication bypass which is caused due to improper caching of pages by the browser.

II. DESCRIPTION
Yahoo has an interesting approach where, within a valid browser session the pages can be viewed from the cache but after log out the back button cannot be used to view pages. This is achieved by setting the cache-control directive to private (Cache-Control:private), that allows caching of pages in the private cache on the browser. However each page has a javascript that checks a random value in a cookie, that is set at login and cleared at logout. If the value is not found then there is a redirect to the main login page. The presence of this value indicates a valid active session.
e.g

if(document.cookie != "" && document.cookie.indexOf("zI0XEB") == -1)
{
window.open("http://mail.yahoo.com";, "_top");
}

During valid sessions yahoo sets a cookie T= zI0XEB<random data>
As this cookie is cleared at logout the back button takes you to the page but the above script redirects you to the main login page.

III. ANALYSIS
One work around the above scheme, is if we disable javascript after a valid session log out, and then try to hit the back button. What is observed is that the page is rendered very briefly before it detects that javascript has been disabled and redirects you to another page. However the window is long enough to catch a glimpse of the previous users private data.
e.g
<noscript>
<META HTTP-EQUIV=Refresh CONTENT="0; URL=/ym/login?nojs=1">
</noscript>

Various tools can be used to intercept the redirect and cached private data of previous users can be viewed without login.
IV. DETECTION
Yahoo mail has been confirmed vulnerable.

V. WORKAROUND

Cenzic is currently unaware of any effective workarounds that can be implemented on the server in order to mitigate the risk of this vulnerability; however, there are workarounds available for client protection. Clients could disable caching of pages at the browser. This will prevent any pages from being cached and view later. Take note that employing this workaround could adversely affect browsing experience. The cache could also be cleared after browsing.

VI. VENDOR RESPONSE
Vendor claims to be working on the problem.

VII. CVE INFORMATION


VIII. DISCLOSURE TIMELINE

7/7/06 Initial vendor notification

??/??/??Initial vendor response

??/??/??Coordinated public disclosure

IX. CREDIT

Kishor Datar and Avinash Shenoi



X. LEGAL NOTICES

Copyright ©

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Cenzic. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please email for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.



Relevant Pages

  • Re: Accessing multiple Hotmail Accounts
    ... Regarding Yahoo, did you read the requirements here? ... Errors Receiving Yahoo Mail via POP3 email client ... I can>>> read/download my internet mails and only one hotmail>>> account mails. ...
    (microsoft.public.internet.mail)
  • >>> MY YAHOO <<<__________________________________________
    ... is my boyfriend on yahoo personals ... make yahoo email my default ... my job blocks yahoo mail ... someone stole my yahoo account ...
    (rec.music.classical)
  • Re: Cant receive mail from yahoo
    ... Yahoo are currently looking into it. ... How to configure POP3 email client to send and receive Yahoo Mail ... There was a problem logging onto your mail server. ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: [Full-disclosure] Possible German Governmental Backdoor found ("R2D2")
    ... The note you replied to left the full-disclosure site at this time: ... The timestamp on zidane is reliable, ... So you replied to it from Yahoo a whole 3 minutes and 46 seconds after it was ... get Yahoo Mail to include the In-Reply-To: ...
    (Full-Disclosure)
  • Worm Attacks Yahoo Email
    ... Monday that a software virus aimed at Yahoo Mail users had infected "a ... The e-mail virus, or worm, has been dubbed Yamanner and landed in ...
    (comp.dcom.telecom)