测试想法:

数学日记:

IT 计算机&信息网络 技术:

IT 计算机信息网络安全技术:

Yahoo and Yahoo Japan May be Vulnerable to Spams


Student security researcher Wang Jing from School of Physical and Mathematical Sciences at Nanyang Technological University, Singapore, has found new security vulnerabilities related to Yahoo.


After reporting several Open Redirect vulnerabilities to Yahoo. Yahoo’s responses were “It is working as designed”. It seems that Yahoo do not take the vulnerabilities seriously at all.


Based on Wang’s report on Full Disclosure “Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo’s responses were “this intended behavior”. However, these vulnerabilities were patched later.“


The vulnerability of Yahoo occurs at “ard.yahoo.com” page. While the vulnerability of Yahoo Japan happens at sensitive page “http://order.store.yahoo.co.jp”.
Proof of concept on YouTube were also released to illustrate exploits. 

(1)Yahoo Open Redirect
https://www.youtube.com/watch?v=k4eFLsTyZkg
(2)Yahoo Japan Unvalidated Redirects and Forwards (URF)
https://www.youtube.com/watch?v=2SM78WKAVr8

In fact, Yahoo’s users were attacked based on redirection this year. Base on CNET on January 4, 2014, “Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware. ” 


Wang wrote that the attack could work without a user being logged in. And his tests were using Firefox (33.0) in Ubuntu (14.04) and IE (10.0.9200.16521) in Windows 8.
Redirect can ensure a good user experience. However, if it is not properly provided. Attackers can use this to trick users. This is common in Phishing attacks and Spams.


On 21 December, 2014. Yahoo.com’s Alexa ranking is 4. While Yahoo.co.jp’s Alexa ranking is 17. Both of them are very popular around the world. From Wikipedia, “Yahoo during July 2013 surpassed Google on the number of United States visitors to its Web sites for the first time since May 2011, set at 196 million United States visitors, having increased by 21 percent in a year.” 

          
Open redirect is listed in          OWASP top 10. The general consensus of it is “avoiding such flaws is extremely important, as they are a favorite target of phishers trying to gain the user’s trust.”          


      
评论
热度(20)
  1. 白帽子安全数学日记 转载了此图片  到 竹意
  2. 白帽子安全数学日记 转载了此图片  到 测试想法
  3. 白帽子安全数学日记 转载了此图片  到 湛天雲海碧波影
  4. 白帽子安全数学日记 转载了此图片  到 文豆 & 文库
  5. 白帽子安全数学日记 转载了此图片
  6. 计算机网络技术IT 计算机信息网络安全技术 转载了此图片  到 行者路上有風有雨有彩虹
  7. 计算机网络技术IT 计算机信息网络安全技术 转载了此图片  到 绿意蛙鸣
  8. 计算机网络技术IT 计算机信息网络安全技术 转载了此图片  到 IT 计算机&信息网络 技术
  9. 计算机网络技术IT 计算机信息网络安全技术 转载了此图片