Recently I discover an unauthenticated redirection on Yahoo.
If you have ever test or use Yahoo’s website you may notice the fact that when you trying to redirect outside of any Yahoo’s domains you get a warning like this one
Due the Origin Policy I was able to only redirect on Yahoo’s domains without get warned.
So , the idea has come to my mind after the creation of a Yahoo group, an email has received with a URL which redirects me to moderators page.
At his point I start checking various things with the redirection but all fails. As I mention on the beginning its was not possible (at this point) to redirect outside of Yahoo without be warned.
After some tries , I decide to play with the Origin Header and found out that they accept all *yahoo.com domains. That was enough for my next move.
I change my hostname to evil.yahoo.com and tried once again the redirection, and …….boom!
The redirection happen normally without any warning and I was also able to run any code on my localhost.
Here is a video of PoC…