Multiple Yahoo! Vulnerabilities and some tips and tricks

Sunday, 6 January 2008

Author: Nemessis[at]RstZone.Org
Website: or

1. Webmessenger China

- Eternal CSRF – an application that looks pretty normal for Yahoo! yet its not really so. The Chinese version doesn't come any close to the original one:

What is the problem?
Use any username to log on to

Use another one for the regular Yahoo! messenger client. Make sure that the user you log with on the regular Yahoo! messenger IS actually in the friends list of the one you are logging in the webmessenger.

Set your status to online and put the following code as your status:
<img src=”” onnerror=”alert(document.cookie)”>
Surprise. The code executes in the browser that you are logged in with the other user.
Impact: Knowing that it is a csrf the perpetrator can steal your login session or it can input a malevolent code without you knowing it.

2. My Chatroom trick

Did you know that you can make use of Yahoo! services to create your own messaging service?
After logging in you will be given an html code containing a link. What can you do with that link? Simple. Lets take this link for example:
If you are logged in you can start a conversation with the user that created that link but, if you were not already logged in and tried to access that link, you would get a random nickname and can start a conversation without a problem. Try and see.


Browser DOS
I tried to apply the same vulnerability I found in the Chinese webmessenger but results came out different.
Though it accepts some statuses that contains html tags, the application that the is based on does not support tags containing <img src=”” bla bla bla>.
The outcome would be the same regardless of the browser you are using. A flash9.ocx error that results in shutting off your browser. Simply put, I is the best booter for the web version of the famous Yahoo! messenger.
Note: The Yahoo! Mail Beta messenger (that one inside of your mailbox) is not vulnerable.

4. Change password trick – interesting but useless

I will explain in short a hypothetical problem.
You know that in order to get to the password changing page you need to first put in your password. Probably those that use to steal cookies know this very well.
In order to get to that page you only need to access this link: (after you logged yourself in to your account). As I was saying, it is interesting but useless as long as you don’t know the password.

5. Trick – The messenger list (NOT the address book)

Log in to your account (acces this link):
You will see your messenger list on that page. It is useful also in case you logged in using just a cookie.

6. Trick – link to avatar

To see the avatar of a user, use te following link:
To see the avatar created by an user on: use this link:

7. Csrf – How to activate mail beta using image tag.

Send to someone using Yahoo! mail Classic an html attachment containing:
<img src="">
After he wil see your message his mail will automatically switch to Beta version.
Csrf – How ot dactivate mail beta using an image tag.
Send someone using Yahoo! mail beta an html attachment containing:
<img src=””>
After he wil see your message his mail will automatically switch to Classic version.
Attention: for Beta version it may be better to manually allow images as that version has the option to block images.

8. Useful links for cookies stealers:

How many times did it happen to you to enter in someone’s email without knowing he runs Beta and you find yourself logged in to his messenger unwittingly?

How can you avoid being automatically logged in to messenger when you enter a Beta mail without necessarily having to switch to mail classic?
Cause the victim can access the mail at any time and notice the change.
The solution is to switch to classic mail just one time. The solution is very simple and it depends on an url. When you put the cookie in the browser make sure NOT to log in directly to Use link:
This will access mail classic without permanently changing the original settings that the owner set. Pretty simple right?

9. Trick – How to login using a simple link

I don’t know what you could use it for but here you have 2 login links:

10. Yahoo! Wiki – phishing with Yahoo!

Did you know about Yahoo! Wiki? Probably not. Here’s what it was created for:
And here’s another use of it:
The url spoof term is widely known. Yet, sometimes you don’t even need that.
You can create a personal page on that wiki and introduce any content you like. The beauty of it is that you can customize the link used for phishing. For example: will be created in the instant I will access it. I will click “Edit” and put my own content. For example: I'm a legit Yahoo service. Just send me your password at
How many people nowadays would trust a phishing-type message hosted on a yahoo! page? I bellieve a whole lot! This is one of the biggest flaws from one of the largest and attacked companies in the world.

Share this content:
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.