Clicking on an offline message link in Yahoo Messenger can lead to Session Hijacking

Clicking on an offline message link in Yahoo Messenger is the same as clicking on an unknown link in your yahoo mail! In fact, Yahoo authenticates you before opening the destination link by using this URL:
http://login.yahoo.com/config/reset_cookies_token?.token=[Your Valid Token]&.done=[Destination Link]
Note 1: Fortunately, the destination cannot read your valid token by using referrer section of the HTTP request. However, this valid token is stored at your browser’s history, and if you do not sign-out from Yahoo, it can be dangerous.
Now you may ask why clicking on link while you are authenticating in yahoo is dangerous:
There are a lot of Cross Site Scripting (XSS) vulnerabilities in yahoo.com sub-domains. Some of these XSS attacks are simply detectable by IE8 and/or NoScript (a recommended Mozilla Firefox Add-on), and some aren’t. For example, some of Asian sub-domains of yahoo.com still have SQL Injection. And it is simply possible to cover an XSS attack by using a simple SQL Injection. Moreover, there are some points with different encoded inputs such as UTF-7 or Base64 which can be used to bypass the client-side protections. There are some other types as well that I do not want to talk about them here (I do not want to teach how to find XSS in this post). Some examples: http://www.xssed.com/search?key=yahoo.com

I’m scared. What should I do then?
1- Only open your email in private browsing mode.
2- Do not click on unknown links which are sent to you via offline messages or your email. If you want to open that link, simply open another private browsing and copy/paste that link there to open it. Moreover, you can open those links in a different browser from your open yahoo mail or your default browser.
3- Please always look at the link destination and do not trust its name. For example this link will redirect you to google.com instead of: http://www.yahoo.com/.

I clicked on a link by mistake. What should I do?
1- If you have knowledge of web security, you can open that link while monitoring your browser by using a local proxy such as Fiddler or BurpSuite. You will see if there is any request to yahoo.com or any other domains then.
2- If you are not sure about what you have done, you MUST change your password immediately. This is the only way that you can protect yourself. Even decreasing the life time of your Yahoo session (Cookie) cannot solve your problem.

What will happen if I don’t care?
1- Attackers will have access to your Yahoo.com account without knowing your password. Fortunately, they cannot change your password directly (they still can use forgot password section).

About Soroush Dalili
Web application security pentester.

2 Responses to Clicking on an offline message link in Yahoo Messenger can lead to Session Hijacking

  1. AbiusX says:

    Good article, Would be better with a demonstration.

  2. NassimJD says:

    very interesting find Soroush.