client side vulnerability in yahoo mail
- From: p3rlhax@xxxxxxxxx
- Date: 4 Sep 2006 04:19:34 -0000
Yahoo! Inc. is an American computer services company with a mission to "be
the most essential global Internet service for consumers and businesses". It
operates an Internet portal, including the popular Yahoo! Mail. The global network of Yahoo! websites received
3.4 billion page views per day on average as of October 2005.
Yahoo mail services are vulnerable to information leakage and authentication bypass which is caused due to improper caching of pages by the browser.
if(document.cookie != "" && document.cookie.indexOf("zI0XEB") == -1)
During valid sessions yahoo sets a cookie T= zI0XEB<random data>
As this cookie is cleared at logout the back button takes you to the page but the above script redirects you to the main login page.
<META HTTP-EQUIV=Refresh CONTENT="0; URL=/ym/login?nojs=1">
Various tools can be used to intercept the redirect and cached private data of previous users can be viewed without login.
Yahoo mail has been confirmed vulnerable.
Cenzic is currently unaware of any effective workarounds that can be implemented on the server in order to mitigate the risk of this vulnerability; however, there are workarounds available for client protection. Clients could disable caching of pages at the browser. This will prevent any pages from being cached and view later. Take note that employing this workaround could adversely affect browsing experience. The cache could also be cleared after browsing.
VI. VENDOR RESPONSE
Vendor claims to be working on the problem.
VII. CVE INFORMATION
VIII. DISCLOSURE TIMELINE
7/7/06 Initial vendor notification
??/??/??Initial vendor response
??/??/??Coordinated public disclosure
Kishor Datar and Avinash Shenoi
X. LEGAL NOTICES
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Cenzic. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please email for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.