Saturday, December 19, 2009

Yahoo Babelfish - Possible Frame Injection Attack - Design Stringency

Yahoo Babel-fish online is a service for translating content to different languages. The stringent design bug leads to the possibility of conducting FRAME injection attacks in the context of yahoo domain there by resulting in third-party attacks. The issues has been demonstrated in some of my recent conferences. The flaw can be summed up as:

1. There is no referrer check on the origin i.e. the source of request.
2. Direct links can be used to send requests.
2. Iframes can be loaded directly into the context of domain.

Points to ponder:
1. Yahoo login Page – perform certain checks , authorized ones.
2. Yahoo implements FRAME Bursting in the main login Page.

It is possible to remove that small piece of code and design a similar page with same elements that can be used further. It is possible to impersonate the trust of primary domain (YAHOO in this case) for legitimate attacks. There is a possibility of different attacks on YAHOO users.

Note: there is no specific notification is displayed on the top of a translated page.

Attacker can conduct a FRAME attack by following below mentioned steps

1. Remove the above stated entities code from the main Login Page.
2. Design the fake domain. Load in the context of Yahoo domain
3. Inline IFRAME provides a familiar fake Login page.
4. Set the backdoor in the Login input boxes for stealing credentials.
5. Trap the victims by diversifying the manipulated URL’s on the Web.One can use
dedicated spamming.
6. The attack is all set to work.

Step 1: Injecting IFRAME - Modified

Step 2 – Stealing Credentials


This attack works successfully. This is a demo setup.You can try some credentials and try to login. :)