HI All

“Attackers are exploiting a known vulnerability in Yahoo’s network to
launch brute force attacks against users’ Yahoo mail accounts.  The
attackers are using hijacked mail accounts to send spam.  The main Yahoo login page has mechanisms in place that protect accounts from brute force attacks, but the recent attacks have been exploiting a web
application (services) that automates the authentication process and does not have the attack protection in place.”

Users should choose strong password to stay SAFE.

This is actually a interesting piece of vulnerability & should be considered while testing client applications.

Some insight into the attack:
1. Proper mechanism against bruteforce attack has been incorporated in yahoo main login page i.e. after a pre-determined number of wrong login attempts, the user is displayed with CAPTCHA to prevent further automated attack.

2. However there are few Yahoo SERVICES which do not implement this protection.
Google Dork: inurl:/config/isp_verify_user & you will find the links to those services.

3. Clicking on that link will throw you a specific error “ERROR:210:Required fields missing (expected l,p)” which says that you have not passed on any username or password.

Accordingly crafting a proper link for one of those Yahoo services:
“http://69.147.112.199/config/isp_verify_user?l=santosh@yahoo.com&p=passwd“  will throw you another errors/messages as mentioned below:

“ERROR:102:Invalid Login” for wrong userid
“ERROR:101:Invalid Password” for wrong password
“OK:0:santosh_jadhav” for correct username password

Yahoo has not implemented the number of wrong attempts check on these web services.

Recommendations (from tacticalwebappsec blog):

1. Implement proper ACLs against all web services apps. In this case, the isp_verify_user app was clearly not intended for direct client usage however there are no ACLs that prevent an end user from accessing them.
2. Need to identify any rogue web application authentication interfaces. This is a big problem for organizations that are either newly deploying distributed web services apps or those who have newly acquired a business partner.
3. Every web application must have some form of anti-automation capability in order to identify when clients are sending these requests.

Auditors must incorporate this check while auditing an application.

Similar Posts you might be interested in:

• Hacking Yahoo, Gmail or any Bank accounts.
• Top 15 SQL injection scanner
• Keypads for doors