Title

Yahoo search redirection vulnerability

Authors

C Bansal, BITS Goa and INRIA Paris-Rocquencourt
K Bhargavan, INRIA Paris-Rocquencourt
S Maffeis, Imperial College London

Important Dates

November 10, 2011

Summary

Yahoo search uses redirection URLs that may be exploited by third-party websites as open redirectors. More importantly, a URL parsing error in these redirectors leads to sensitive information being leaked.

Relevant Websites

search.yahoo.com

Impact: Medium

Open redirectors are known to be a security hazard, but in combination with Yahoo's "Sign in with Facebook" and "Sign in with Google" features they can lead to Yahoo users tokens from being leaked to third-party websites. See here for an example attack.

Attack

When a Yahoo search yields a link to a website W.com and a user clicks on the link, Yahoo in fact forwards the user to a redirector URL, roughly of the form:
http://www.yahoo.com/r/_ylt=A0o[...]/**http%3a//W.com
This redirector then redirects the user to http://W.com The redirector URL works across browsers and sessions irrespective of the state, and if the website W.com is malicious, it may use this URL as an open redirector to itself. In particular, a user may mistakenly believe she is sending information to www.yahoo.com but the information is instead sent on to W.com. This problem is exacerbated by a URL parsing error. As a concrete example, consider a user who has signed up for the "Sign in with Facebook" feature at Yahoo. Suppose a malicious website forwards the user to Facebook with a return URI of the form:
http://www.yahoo.com/r/_ylt=A0o[...]/**http%3a//W.com
Facebook thinks that Yahoo is requesting a token for the user (not realizing that the URL actually points to W.com). Facebook would then issue a token T and redirect the user back to:
http://www.yahoo.com/r/_ylt=A0o[...]/**http%3a//W.com#token=T
Note the fragment URI attached to the end of the URL. As far as Facebook (and the user) are concerned the token T is meant for www.yahoo.com and should not be forwarded along to W.com Yahoo should parse this URL as:
host: http://www.yahoo.com
path: /r/_ylt=A0o[...]/
redirection_uri:http://W.com
fragment: token=T
Instead, it mistakenly parses such URLs as:
host: http://www.yahoo.com
path: /r/_ylt=A0o[...]/
redirection_uri: http://W.com#token=T
Hence, it leaks the token along to W.com

Recommendations

  1. The parsing of redirection URLs should be fixed, so that any extra query parameters or fragment URIs are discarded before forwarding. Alternatively Yahoo could reject any redirection URL that does not exactly match the URL found during search. Hence, when given: http://www.yahoo.com/r/_ylt=A0o[...]/**http%3a//W.com?code=C#token=T Everything after the ? should be discarded. If there are any query params in the URL for W.com they can be included in URL encoded form in the above URL. The important step is to discard any query parameters and fragment URIs that were mant for Yahoo and not for W.com
  2. Yahoo's search redirection can be used as an open redirector to any website indexed by Yahoo. This can be prevented if the redirection link were bound to the browser cookie, to provide a form of CSRF protection. In other words, only users who click on the Yahoo search page would be allowed to access the redirection link.