ID: IRCNE2012121688
Date: 2012-12-04
According to "computerworld", attackers can read emails, contacts and other private data from the accounts of Yahoo users who visit a malicious page by abusing a feature present on Yahoo's Developer Network website, says an independent security researcher.
A limited version of the attack was presented on Sunday at the DefCamp security conference in Bucharest, Romania, by a Romanian Web application bug hunter named Sergiu Dragos Bogdan.
In his presentation, the researcher showed how the Web-based YQL (Yahoo Query Language) console, available on the developer.yahoo.com website, can be abused by attackers to execute YQL commands on behalf of authenticated Yahoo users who visit malicious websites.
YQL is a programming language similar to SQL (Structured Query Language) that was created by Yahoo. It can be used to query, filter and combine data stored in databases.
Non-authenticated users can only run YQL queries against tables containing publicly visible Yahoo information, such as information from Yahoo Answers, Yahoo Weather and other services. However, when they are authenticated, users also gain access to tables containing their own Yahoo account data, including emails, contacts and private profile information.
When a query is entered in the console's "YQL statement" field and the "TEST" button is pressed, a user-session-specific authorization code called the "crumb" is also submitted along with the request. The crumb is generated when the user visits the YQL console page and is inserted into the form requests automatically.
During his presentation, Bogdan presented a proof-of-concept (PoC) attack page that loaded a specific developer.yahoo.com URL inside an iframe. When the attack page was visited by an authenticated Yahoo user -- a test account was used -- the iframe returned the visitor's crumb code.
In his PoC attack, Bogdan used a YQL command to change the user's Yahoo profile status in Yahoo's database, but the same method can be used to run a YQL query that returns a number of emails from the user's Yahoo email account, or other private information.
In order to actually read the emails, the attacker would need to use another technique that would force the data to be returned to his server.
In addition, he said the whole attack can be completely automated by leveraging a yet-undisclosed vulnerability located somewhere else in the developer.yahoo.com website.
Because the attack exploits multiple security issues and uses several different techniques, Bogdan called it a "blended threat."
Yahoo did not respond to a request for comment regarding Bogdan's proof-of-concept attack presented at DefCamp and the solution he suggested.
- 2