AOH :: HP Unsorted Y :: TB10109.HTM

Yahoo! Messenger Auth Bypass Vulnerability
Yahoo! Messenger Auth Bypass Vulnerability
Yahoo! Messenger Auth Bypass Vulnerability

This advisory is being provided to you under the policy documented at 
You are encouraged to read this policy; however, in the interim, you have approximately 5 days to respond to this initial email. 
This policy encourages open communication, and I look forward to working with you on resolving the problem detailed below.



Yahoo! Inc. is an American computer services company with a mission to
"be the most essential global Internet service for consumers and businesses".
It operates an Internet portal, including the popular Yahoo! Mail.
The global network of Yahoo! websites received 3.4 billion page views per day
on average as of October 2005.

Yahoo mail services when accessed via Yahoo! messenger are vulnerable to
information leakage and authentication bypass which is caused due to
improper caching of pages by the browser.


When a user receives a new email, Yahoo messenger lets the user click a button to open his
mail account in the browser. During this process, it uses a URL to login to yahoo. This
url then redirects the user to his mail box.

The URL mentioned above is not tied with a session (Same URL can be used any number of times).

Response to this URL does not specify that the browser should not keep its entry in the cache.
Therefore, even after the user logs out of both messenger and email account, the URL entry
still remains in the browser cache. Even after restarting the browser, this URL can be retrieved
from the cache.

Malicious users can easily access browser cache and grab this URL. He can thus login to
victim's Yahoo account without needing his credentials.

The URL looks like following 


Successful exploitation of this vulnerability would allow an attacker to get ACTIVE
access to victim's account. Attacker can therefore impersonate the victim and
misuse the account.


Latest version of Yahoo! messenger is found vulnerable.


Response to the URL mentioned above should not get cached and should not remain in the
cache record of the browser.

This URL should be requested over secure http in order to avoid leaking of the URL at
several intermediate caches.




11/22/2006 Initial vendor notification

??/??/??Initial vendor response

??/??/??Coordinated public disclosure


Kishor Datar ( kishor [_a_t_] )
Cenzic Inc.

Rajesh Sethumadhavan!enclosure=.1dd0ab61 


Copyright =A9

Permission is granted for the redistribution of this alert electronically. It may not be edited
in any way without the express written consent of Cenzic. If you wish to reprint the whole or
any part of this alert in any other medium other than electronically, please email for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing
based on currently available information. Use of the information constitutes acceptance for use
in an AS IS condition. There are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to