|21 Dec 2009||#1|
| || |
Yahoo Babelfish - Possible Frame Injection Attack - Des
Yahoo Babel-fish online service for translating content to different languages. The stringent design bug leads to the possibility of conducting FRAME injection attacks in the context of yahoo domain there by resulting in third party attacks. The issues has been demonstrated in some of my recent conferences. The flaw can be summed up as:
1. There is no referrer check on the origin i.e. the source of request.
2. Direct links can be used to send requests.
2. Iframes can be loaded directly into the context of domain.
Points to Ponder
1. Yahoo login Page – perform certain checks , authorized ones.
2. Yahoo implements FRAME Bursting in the main login Page.
It is possible to remove that small piece of code and design a similar page with same elements that can be used further. It is possible to impersonate the trust of primary domain (YAHOO in this case) for legitimate attacks. There is a possibility of different attacks on YAHOO users.
Note: there is no specific notification is displayed on the top of translated page.
Attacker can conduct a FRAME attack by following below mentioned steps
1. Remove the above stated entities code from the main Login Page.
2. Design the fake domain. Load in the context of Yahoo domain
3. Inline IFRAME provides a familiar fake Login page.
4. Set the backdoor in the Login input boxes for stealing credentials.
5. Trap the victims by diversifying the manipulated URL’s on the Web.One can use
6. The attack is all set to work.
Step 1: Injecting IFRAME - Modified
Step 2 – Stealing Credentials
Aditya K Sood's (0kn0ck) Blog: Yahoo Babelfish - Possible Frame Injection Attack - Design Stringency
This attack works successfully. This is a demo setup.You can try some credentials and try to login.
|My System Specs|
|Similar help and support threads for2: Yahoo Babelfish - Possible Frame Injection Attack - Des|
|Yahoo Voice Hack Attack Compromises 453,000 Passwords||Security News|
|Mass SQL injection attack affects over 200,000 URLs||Security News|
|Mass injection attack compromised 20,000+ domains, delivers fake AV||Security News|
|babelfish 1.95 icon in the chromeuser.css ???||Browsers & Mail|
|Mass SQL injection attack leads to scareware||Security News|
|New Injection Attack Hits osCommerce Sites||Security News|
|Wordpress injection attack and “affiliate ping-pong.”||Chillout Room|