Yahoo helps scammers phish by ignoring open redirect vulnerability
Student security researcher Robert Kugler has found his warnings over security vulnerabilities ignored once again, after reporting an open redirect vulnerability to Yahoo.
Kugler found that Yahoo has a vulnerability that allows attackers to redirect victims to any site of their choosing, while still presenting the user with a yahoo.com URL. Called an open redirect, the use of such a vulnerability helps scammers lull their victims into a false sense of trust, since URLs are prefaced with the yahoo.com domain.
In a post on the Full Disclosure mailing list, Kugler shows how the following URL with the yahoo.com domain will redirect to google.com:
http://us.ard.yahoo.com/SIG=15n3q5c29/M=289534.11223993.11781333.10885343/D=he/S=18343859:FOOT2/Y=YAHOO/EXP=1274825933/L=YcSUjEKjqNAC2RCjS_sbeRbo0GpsAkv8MK0ACDlS/B=pFuES2KJiR0-/J=1274818733570885/K=FPiTgxmujdul0W5j.k5shQ/A=4808190/R=0/SIG=1136qnvkg/*http://www.google.com/
Although the end of the URL can provide a telltale sign that something may be amiss, simply encoding the redirect URL can obfuscate its true value as such:
http://us.ard.yahoo.com/SIG=15n3q5c29/M=289534.11223993.11781333.10885343/D=he/S=18343859:FOOT2 /Y=YAHOO/EXP=1274825933/L=YcSUjEKjqNAC2RCjS_sbeRbo0GpsAkv8MK0ACDlS/B=pFuES2KJiR0-/J=1274818733570885/K=FPiTgxmujdul0W5j.k5shQ/A=4808190/R=0/SIG=1136qnvkg/*%68%74%74%70%3a%2f%2f%77%77%77%2e%67%6f%6f%67%6c%65%2e%63%6f%6d%2f
Yahoo responded to Kugler's report and dismissed it, choosing instead to refer to it as a functionality on its site that is working as designed.
Redirects are sometimes necessary to ensure a good user experience, but good security practice dictates including some way of validating the URL, rather than allowing anyone to dictate the redirect.
While Yahoo does not consider it to be a vulnerability, open redirects are included as number 10 on the Open Web Application Security Project's Top 10 2013 list of the most common, but important, security vulnerabilities. Its general description of the vulnerability notes that "avoiding such flaws is extremely important, as they are a favourite target of phishers trying to gain the user's trust."
This is not the first time that Kugler has been sidelined by tech companies. He previously informed PayPal of cross-site scripting vulnerabilities on its site, and was subsequently disqualified from its bug bounty program due to his age.