full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] [SVRT-01-09] Redirection V

[Full-disclosure] [SVRT-01-09] Redirection Vulnerability in Yahoo! Advertising Service

From: SVRT-Bkis <svrt_at_nospam>
Date: Tue Jan 06 2009 - 04:52:15 GMT
To: <full-disclosure@lists.grok.org.uk>, <bugtraq@securityfocus.com>

[SVRT-01-09] Redirection Vulnerability in Yahoo! Advertising Service

  1. General Information On December 22, 2008, SVRT-BKIS found a vulnerability in Yahoo! Wap Service. This is the second vulnerability discovered by BKIS in cell phone Web platform, the first one was found in Google Wap Proxy.

Taking advantage of this flaw, hackers can perform redirection attack, which means they are able to send users to their malicious websites. We have notified Yahoo! of this vulnerability.

Details : http://security.bkis.vn/?p=324 SVRT Advisory : SVRT-01-09
Initial vendor notification : 12-23-2008 Release Date : 01-06-2009
Update Date : 01-06-2009
Discovered by : Dau Huy Ngoc - SVRT-Bkis Attack Type : Redirection
Security Rating : High
Impact : Phishing
Affected Software : Ads image at http://m.yahoo.com

2. Technical Description
The flaw lies in the advertising section of Yahoo! Wap Service, which allows displaying advertisements when users visit Yahoo! Wap address http://m.yahoo.com.

More specifically, this advertising section includes a link with the following format and it is this link that contains the flaw. http://us.ard.yahoo.com/SIG=17a4cd16v...=12etp7f3d/*[http://ads_image]

Note: this link may be expired after several days; you can recreate a new link following these steps: o Open http://m.yahoo.com o At the top of the page, get link of advertising image (here is precisely vulnerable link). o Edit this link by replacing URL after "/*" to an arbitrary address. o Open the edited link with your browser to see the redirection of this vulnerability.

If users clink directly on this link, their browsers will automatically redirect them to the address [http://anh_quang_cao] and everything on that site can be accessed, which makes it a Redirection vulnerability.

In order to exploit, hackers only need to change the address
[http://ads_image] in the previous link to their website address and send
the link to users. As this link uses Yahoo! domain name, users easily think it is safe and if the destination website contains malicious code or cheating content, hacker can steal users' sensitive information or even take control of their computers remotely.

3. Solution
Rating this vulnerability high severity, Bkis recommends that users: - Be cautious with strange links, even links starting with domain names of well-known companies like Google, Yahoo!, and Microsoft. - Do not access links starting with http://us.ard.yahoo.com.

Thanks to Dau Huy Ngoc for working together with us in the detection and alert process of this vulnerability.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/