• United States




Open redirect on Yahoo

Feb 14, 20143 mins
Application Security

Interesting item popped up this morning. It turns out that has, or rather had, an open redirect on their site. 

From Full Disclosure:

From: Jing Wang

Date: Thu, 13 Feb 2014 00:04:02 +0800

Dear Sir/Madam,


I am a student from NTU, Singapore. My name is Wang Jing. I just found a

yahoo open redirect vulnerability and reported it to yahoo 10 days ago.


However, yahoo did nothing about it.


The following is full disclosure. Attachment is prove of concept video. And

the link below is poc video I just posted on youtube.


I just found one open url redirection vulnerability in yahoo.


This attacks doesn’t even need users to login yahoo. My test is on all

browsers in all computer systems.


I use “poc of exploit” to denote that url redirection works.


Now I will use a website just built by me for the following tests. The

website is “”;. We can think this website is

malicious, because it is fully under my control.


vulnerable url:



poc exploit:



Proof of concept video.

As of this writing the problem appears to have been rectified.

The question that this brings to mind is, have you tested your web properties recently? No, I’m not talking about the annual vulnerability scans that you have some third party come in a run for you. Has there been a concerted effort to check the sites under your control? Think about the implications of an issue similar to this. This would be a great tool for someone to spread malicious software or to use in a phishing campaign in an attempt to trick the user into clicking a link that may seem perfectly harmless.

This is a perfect example of why using a vulnerability scanning tool is never enough to ensure that your site is secure. You need to have smart people kicking the tires. 

Another point is to respond to researchers in a timely fashion when they contact you. In their minds the timer is running from the moment they email you. Reference, RFPolicy. For one vulnerability that I discovered, I worked with a vendor and it took 8 months to fix the issue. The reason I never got my knickers in a twist was that they were communicating with me every step of the way. 

Make sure that your sweet innocent website isn’t being co-opted to cause mayhem.

(Image used under CC from Tau Zero)


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author