Interesting item popped up this morning. It turns out that Yahoo.com has, or rather had, an open redirect on their site. From Full Disclosure: From: Jing Wang Date: Thu, 13 Feb 2014 00:04:02 +0800 Dear Sir/Madam, I am a student from NTU, Singapore. My name is Wang Jing. I just found a yahoo open redirect vulnerability and reported it to yahoo 10 days ago. However, yahoo did nothing about it. The following is full disclosure. Attachment is prove of concept video. And the link below is poc video I just posted on youtube. I just found one open url redirection vulnerability in yahoo. This attacks doesn’t even need users to login yahoo. My test is on all browsers in all computer systems. I use “poc of exploit” to denote that url redirection works. Now I will use a website just built by me for the following tests. The website is “http://www.tetraph.com”;. We can think this website is malicious, because it is fully under my control. vulnerable url: … poc exploit: … Proof of concept video. As of this writing the problem appears to have been rectified. The question that this brings to mind is, have you tested your web properties recently? No, I’m not talking about the annual vulnerability scans that you have some third party come in a run for you. Has there been a concerted effort to check the sites under your control? Think about the implications of an issue similar to this. This would be a great tool for someone to spread malicious software or to use in a phishing campaign in an attempt to trick the user into clicking a link that may seem perfectly harmless. This is a perfect example of why using a vulnerability scanning tool is never enough to ensure that your site is secure. You need to have smart people kicking the tires. Another point is to respond to researchers in a timely fashion when they contact you. In their minds the timer is running from the moment they email you. Reference, RFPolicy. For one vulnerability that I discovered, I worked with a vendor and it took 8 months to fix the issue. The reason I never got my knickers in a twist was that they were communicating with me every step of the way. Make sure that your sweet innocent website isn’t being co-opted to cause mayhem. (Image used under CC from Tau Zero) Related content news The end of the road By Dave Lewis May 30, 2017 3 mins Security news WannaCry...ransomware cyberattack as far as the eye can see By Dave Lewis May 15, 2017 4 mins Security news HITB Amsterdam: hackers, waffles and coffee oh my By Dave Lewis Apr 21, 2017 3 mins Security news Fail to patch and wait for the pain By Dave Lewis Apr 20, 2017 3 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe