Yahoo helps scammers phish by ignoring open redirect vulnerability

Yahoo helps scammers phish by ignoring open redirect vulnerability

Summary: Instead of closing one of the top 10 most common web vulnerabilities on its site, Yahoo has said that an open direct flaw is 'working as designed'.

TOPICS: Security

Student security researcher Robert Kugler has found his warnings over security vulnerabilities ignored once again, after reporting an open redirect vulnerability to Yahoo.

Kugler found that Yahoo has a vulnerability that allows attackers to redirect victims to any site of their choosing, while still presenting the user with a URL. Called an open redirect, the use of such a vulnerability helps scammers lull their victims into a false sense of trust, since URLs are prefaced with the domain.

In a post on the Full Disclosure mailing list, Kugler shows how the following URL with the domain will redirect to*

Although the end of the URL can provide a telltale sign that something may be amiss, simply encoding the redirect URL can obfuscate its true value as such: /Y=YAHOO/EXP=1274825933/L=YcSUjEKjqNAC2RCjS_sbeRbo0GpsAkv8MK0ACDlS/B=pFuES2KJiR0-/J=1274818733570885/K=FPiTgxmujdul0W5j.k5shQ/A=4808190/R=0/SIG=1136qnvkg/*%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f

Yahoo responded to Kugler's report and dismissed it, choosing instead to refer to it as a functionality on its site that is working as designed.

Redirects are sometimes necessary to ensure a good user experience, but good security practice dictates including some way of validating the URL, rather than allowing anyone to dictate the redirect.

While Yahoo does not consider it to be a vulnerability, open redirects are included as number 10 on the Open Web Application Security Project's Top 10 2013 list of the most common, but important, security vulnerabilities. Its general description of the vulnerability notes that "avoiding such flaws is extremely important, as they are a favourite target of phishers trying to gain the user's trust."

This is not the first time that Kugler has been sidelined by tech companies. He previously informed PayPal of cross-site scripting vulnerabilities on its site, and was subsequently disqualified from its bug bounty program due to his age.

Topic: Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "It's not a bug, it's a feature"...

    sorry, couldn't resist. Anyhow, how many web users even look at the full URL? Some browsers don't even display the full URL any longer, without some contortions. Interesting to think about though.
  • Yahpoo

    Yahoo has so many exploits in the way it implements its protocol. I found countless exploits in their chat,web,mail protocols on which stealing someones account details username/cookies was as simple as sending a BD packet with a redirect URL embedded in to the packet after the 21 field. They are a joke and always will be, another of stealing an account was to change the login string and set the epoch time of &t=0. To zero. This would then allow me to login with the original password that was set when the account was created.
    Now thats just a fraction of what i used to do!
  • Not Just Yahoo

    It's not just Yahoo that do this but Google aswell. I recently found an open redirect vulnerability in one of Google's sites yet they insisted that "the usability and security benefits of a well monitored redirect system outweigh its risks". Never have I read such nonsense in my life, there are NO benefits to allowing a user to redirect to any site he wishes and the last thing that it is is well monitored. It's quite simply Google, a multi billion dollar company, trying to get out of paying a couple of hundred dollars (same case with Yahoo). Quite pathetic really.