Multiple Yahoo! Vulnerabilities and some tips and tricks

Author: Nemessis[at]RstZone.Org
Website: http://rstzone.org or http://en.rstzone.org

1. Webmessenger China


- Eternal CSRF
http://cn.webmessenger.yahoo.com – an application that looks pretty normal for Yahoo! yet its not really so. The Chinese version doesn't come any close to the original one: http://webmessenger.yahoo.com.
What is the problem?
Use any username to log on to http://cn.webmessenger.yahoo.com.
Use another one for the regular Yahoo! messenger client. Make sure that the user you log with on the regular Yahoo! messenger IS actually in the friends list of the one you are logging in the webmessenger.
Set your status to online and put the following code as your status:
<img src=”” onnerror=”alert(document.cookie)”>
Surprise. The code executes in the browser that you are logged in with the other user.
Impact: Knowing that it is a csrf the perpetrator can steal your login session or it can input a malevolent code without you knowing it.

2. My Chatroom trick


Did you know that you can make use of Yahoo! services to create your own messaging service?
Go to http://cn.messenger.yahoo.com/webmsgr/code.php.
After logging in you will be given an html code containing a link. What can you do with that link? Simple. Lets take this link for example:
http://cn.webmessenger.yahoo.com/index.php?t=1&to=eWlkPXJvb3QuZmxvb2Q-&sig=63761f8f753f4857bf8a275e46d7b3175cba5585
If you are logged in you can start a conversation with the user that created that link but, if you were not already logged in and tried to access that link, you would get a random nickname and can start a conversation without a problem. Try and see.

3. Webmessenger.yahoo.com


Browser DOS
I tried to apply the same vulnerability I found in the Chinese webmessenger but results came out different.
Though it accepts some statuses that contains html tags, the application that the webmessenger.yahoo.com is based on does not support tags containing <img src=”” onerror="alert(1)">.
The outcome would be the same regardless of the browser you are using. A flash9.ocx error that results in shutting off your browser. This is the best booter for the web version of the famous Yahoo! messenger.
Note: The Yahoo! Mail Beta messenger (that one inside of your mailbox) is not vulnerable.

4. Change password trick – interesting but useless


I will explain in short a hypothetical problem.
You know that in order to get to the password changing page you need to first put in your password. Probably those that use to steal cookies know this very well.
In order to get to that page you only need to access this link: https://edit.yahoo.com/config/change_pw?.src=ym (after you logged yourself in to your account). As I was saying, it is interesting but useless as long as you don’t know the password.

5. Trick – The messenger list (NOT the address book)


Log in to your account (acces this link):
http://i.cn.yahoo.com/invites/picker.html?imp=yim
You will see your messenger list on that page. It is useful also in case you logged in using just a cookie.

6. Trick – link to avatar


To see the avatar of a user, use te following link:
http://img.msg.yahoo.com/avatar.php?yids=TYPETHEUSERNAMEHERE&format=png
To see the avatar created by an user on: http://avatars.yahoo.com use this link:
http://lookup.avatars.yahoo.com/wimages?yid=TYPETHEUSERNAMEHERE &size=medium&type=jpg

7. Csrf – How to activate mail beta using image tag.


Send to someone using Yahoo! mail Classic an html attachment containing:
<img src="http://mrd.mail.yahoo.com/landing">
After he wil see your message his mail will automatically switch to Beta version.
Csrf – How ot dactivate mail beta using an image tag.
Send someone using Yahoo! mail beta an html attachment containing:
<img src=”http://us.f451.mail.yahoo.com/ym/login?ymv=0”>
After he wil see your message his mail will automatically switch to Classic version.
Attention: for Beta version it may be better to manually allow images as that version has the option to block images.

8. Useful links for cookies stealers:


How many times did it happen to you to enter in someone’s email without knowing he runs Beta and you find yourself logged in to his messenger unwittingly?
How can you avoid being automatically logged in to messenger when you enter a Beta mail without necessarily having to switch to mail classic?
Cause the victim can access the mail at any time and notice the change.
The solution is to switch to classic mail just one time. The solution is very simple and it depends on an url. When you put the cookie in the browser make sure NOT to log in directly to mail.yahoo.com. Use link:
http://us.mg1.mail.yahoo.com/ym/login?ymv=0
This will access mail classic without permanently changing the original settings that the owner set. Pretty simple right?
For your perusal, please check also: http://us.mg1.mail.yahoo.com/dc/system_requirements?browser=unsupported

9. Trick – How to login using a simple link



I don’t know what you could use it for but here you have 2 login links:

10. Yahoo! Wiki – phishing with Yahoo!



Did you know about Yahoo! Wiki? Probably not. Here’s what it was created for:
And here’s another use of it:
The url spoof term is widely known. Yet, sometimes you don’t even need that.
You can create a personal page on that wiki and introduce any content you like. The beauty of it is that you can customize the link used for phishing. For example:
http://developer.yahoo.net/hackday-wiki/index.cgi?NemessisRSTZONE will be created in the instant I will access it. I will click “Edit” and put my own content. For example: I'm a legit Yahoo service. Just send me your password at hacker@yahoo.com)
How many people nowadays would trust a phishing-type message hosted on a yahoo! page? I bellieve a whole lot! This is one of the biggest flaws from one of the largest and attacked companies in the world.
 
P.S. - thank you for your website great content. I'm an admirer. I hope that we will see new articles posted by you very soon.
 
Nemessis