WS201501 - Open Redirect in Yahoo Store
by David Sopas @dsopas
www.websegura.net
Description
When tracking for a open vulnerability on another web application, I come across this Open Redirect - https://www.owasp.org/index.php/Open_redirect - on Yahoo Store [Japan]. Not covered by any vulnerability bounty program I still send it to Yahoo guys on Japan.
Proof-of-concept
http://order.store.yahoo.co.jp/cgi-bin/yj-affiliate-entry?ITRACK_INFO=08783635510215210714021908898&COOKIE_PATH=
/&COOKIE_DOMAIN=.yahoo.co.jp&VIEW_URL=http://www.websegura.net
The lack of validation on VIEW_URL variable could be tricked to forward users to another website. Malicious users could use this type of vulnerability on Phishing campaigns and redirect users to other pages to steal victims credentials.
Yahoo fixed this security issue and thanked me for this security warning.
Timeline
20 Dec.14 - Submited to Yahoo
24 Dec.14 - Yahoo replied that will fix it
07 Jan.15 - Yahoo replied that it’s an old system and will take some time to fix
26 Feb.15 - Open redirect is fixed
02 Mar.15 - Full disclosure
Nuno Silva: Boa tarde. Eu recebi esta proposta? Alguem me sabe esclarecer de algum...
Pedro: Fui mais uma vítima do Carlos Refachinho. Inocentemente confiei na con...
Lais Borges: Recebi um e-mail de um interessado na minha câmera e achei estranho, p...
Antonio: Mais um burlão, Carlos Alberto Cardoso Saramago com o contacto 9685192...
Antonio Carlos de Melo: Recebi tambm...tirei passaporte...pediram dinheiro para pagar moradia ...
