Information Assurance

Grey Schober

front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

Yahoo! Messenger Authentication Bypass Vulnerability http://www.security focus.com/archive/1 /463932/30/390/threaded

Problem: When logged into Yahoo Messenger, there is a function/button to allow the user to access his or her Yahoo e-mail account in the web browser. This is done using a user specific URL. The URL is then queried by the browser and the user gains access to their mail account through a webmail interface (rather than a client). The key however, is that this URL is not tied to a session. It has no expiration. Also, the URL is not removed from the cache as would be typical with something like this.

A malicious user can easily gain access to the History or cache and thus login to the attacked account without proper authentication.

I am not aware if this is much of a problem over a network, but with novice users using public computer terminals, this poses a serious risk as an attacker can easily impersonate someone. Another example would be in the workplace where you could do something malicious over e-mail while pretending to be someone else.

What could have prevented: Proper coding could have prevented this and perhaps Yahoo could not try to be so feature hungry and omit the ability to login to your email through the messenger service.

Workaround: Erasing the cache manually, not using Yahoo Messenger, avoiding logging in from a public terminal.

What can be done to prevent it in future: Approach coding with the idea that you should erase anything containing sensitive information immediately after it is no longer needed.