BLUE MOON SECURITY ADVISORY 2009-05

Title:Cross Site Request Forgery in Yahoo! 360plus
Severity:Moderate
Reporter:Thinh Q. Hoang and Blue Moon Consulting
Products:Yahoo! 360plus
Fixed in:--

Description

We could not find out the definitive description for Yahoo! 360plus from Yahoo! website. This is our own understanding of the application: Yahoo! 360plus is a blogging service.

We have discovered a Cross Site Request Forgery vulnerability in Yahoo! 360plus. The attacker could force an unknowning user to remove all her avatars by visiting a specially crafted page while her Yahoo! 360plus session is still valid.

This problem is similar to the one that allowed removal of user comments in Yahoo! 360 (the older version of Yahoo! 360plus). The link to avatar deletion is, in the case of Yahoo! 360plus Vietnam, http://vn.blog.yahoo.com/setup/profile_photo.php?act=del&prf_photo=1 where prf_photo could be 1, 2, 3, or 4. Unlike other actions where a crumb token is required, this action does not require any token and hence suffers from a CSRF vulnerability.

Workaround

Users of Yahoo! 360plus service should only login to make modifications and logout immediately when done.

Fix

There is no fix at the moment.

Disclosure

Blue Moon Consulting adapts RFPolicy v2.0 in notifying vendors.

Initial vendor contact:
 June 02, 2009: Initial security alert sent to security@yahoo-inc.com
Vendor response:
 --
Further communication:
 --
Public disclosure:
 June 10, 2009
Exploit code:No exploit code required.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.