Yahoo search redirection vulnerability
C Bansal, BITS Goa and INRIA Paris-Rocquencourt
K Bhargavan, INRIA Paris-Rocquencourt
S Maffeis, Imperial College London
November 10, 2011
Yahoo search uses redirection URLs that may be exploited
by third-party websites as open redirectors. More importantly,
a URL parsing error in these redirectors leads to sensitive
information being leaked.
Open redirectors are known to be a security hazard, but in combination
with Yahoo's "Sign in with Facebook" and "Sign in with Google" features
they can lead to Yahoo users tokens from being leaked to third-party websites.
See here for an example attack.
When a Yahoo search yields a link to a website W.com and a user clicks on the link,
Yahoo in fact forwards the user to a redirector URL, roughly of the form:
This redirector then redirects the user to http://W.com
The redirector URL works across browsers and sessions irrespective of the state,
and if the website W.com is malicious, it may use this URL as an open redirector to itself.
In particular, a user may mistakenly believe she is sending information to www.yahoo.com
but the information is instead sent on to W.com. This problem is exacerbated by a URL parsing error.
As a concrete example, consider a user who has signed up for the "Sign in with Facebook" feature at Yahoo.
Suppose a malicious website forwards the user to Facebook with a return URI of the form:
Facebook thinks that Yahoo is requesting a token for the user (not realizing that the URL actually points to W.com).
Facebook would then issue a token T and redirect the user back to:
Note the fragment URI attached to the end of the URL.
As far as Facebook (and the user) are concerned the token T is meant for www.yahoo.com and should not be forwarded along to W.com
Yahoo should parse this URL as:
Instead, it mistakenly parses such URLs as:
Hence, it leaks the token along to W.com
- The parsing of redirection URLs should be fixed, so that any extra query parameters or fragment URIs are
discarded before forwarding. Alternatively Yahoo could reject any redirection URL that does not exactly
match the URL found during search.
Hence, when given:
Everything after the ? should be discarded. If there are any query params in the URL for W.com they can
be included in URL encoded form in the above URL. The important step is to discard any query parameters
and fragment URIs that were mant for Yahoo and not for W.com
- Yahoo's search redirection can be used as an open redirector to any website indexed by Yahoo. This can
be prevented if the redirection link were bound to the browser cookie, to provide a form of CSRF protection.
In other words, only users who click on the Yahoo search page would be allowed to access the redirection link.