Open Redirect in Yahoo Store

WS201501 – Open Redirect in Yahoo Store
by David Sopas @dsopas
www.websegura.net

Description

When tracking for a open vulnerability on another web application, I come across this Open Redirect – https://www.owasp.org/index.php/Open_redirect – on Yahoo Store [Japan]. Not covered by any vulnerability bounty program I still send it to Yahoo guys on Japan.

Proof-of-concept

http://order.store.yahoo.co.jp/cgi-bin/yj-affiliate-entry?ITRACK_INFO=08783635510215210714021908898&COOKIE_PATH=
/&COOKIE_DOMAIN=.yahoo.co.jp&VIEW_URL=http://www.websegura.net

The lack of validation on VIEW_URL variable could be tricked to forward users to another website. Malicious users could use this type of vulnerability on Phishing campaigns and redirect users to other pages to steal victims credentials.

Yahoo fixed this security issue and thanked me for this security warning.

Timeline

20 Dec.14 – Submited to Yahoo
24 Dec.14 – Yahoo replied that will fix it
07 Jan.15 – Yahoo replied that it’s an old system and will take some time to fix
26 Feb.15 – Open redirect is fixed
02 Mar.15 – Full disclosure

Achaste interessante? Partilha!