Tuesday, May 19, 2009

Yahoo Groups Voting Vulnerability

I found a very interesting security bug at Yahoo Groups Voting System, exploiting this bug leads to complete control of the voting result. 

You can watch the video to see how I made 4 polls -they could be more- using a single account


<br/><a href="http://video.msn.com/video.aspx?vid=cf581209-ad25-4920-821f-0a11bf849cf4" target="_new" title="Yahoo Groups Voting Bug">Video: Yahoo Groups Voting Bug</a>

Bug Demonstration
It's clear that the voting system is differentiating between different users by examining the email address that is associated with the group, and since you can add unlimited number of emails associated with single Yahoo ID and the group settings allow you to change between these emails. you can simply add your vote then change the associated email then vote again as a new voter, you can keep repeating this until you fully manipulate the voting results to the one of your choice.

Simple steps to reproduce this security bug
1- go to the poll of your choice
2- select your candidate of the choices
3- click "Edit Membership"
4- under "Email Address" click "Add new email address" and verify it
5- keep repeating step 4 until you add sufficient number of email addresses
6- now choose any of them as your default associated email
7- go to the poll again and congratulations you can add your vote as it's your first time to add it
8- keep changing the associated email address until your candidate of the vote options win :)

Conclusion
It's very clear that this bug is a security logic vulnerability and hince no static code analysis tool is able to find it (never depend on static code analysis tools only).
Although it's very easy to exploit this vulnerability (I didn't write scripts, didn't run automated scans or use any complex method to exploit this vulnerability) the imact of the vulnerability is very high (maybe all the votes that were created before were manipulated).
There could be more vulnerabilities in Yahoo Groups that I didn't investigate if they have more stuff depending on the associated email 

Keep checking this blog as I decided to publish more and more security vulnerabilities at major websites, since they never fix their issues unless you fully disclose their bugs :)


No comments:

Post a Comment