Devouring Security: Insecure Direct Object References vulnerability in hotmail and yahoo mail
As of today, December 26, 2013, a transient Insecure Direct Object References (as quoted by OWASP) exists in hotmail, and yahoo mail.
- Gmail, after signing out, if you try to access a gmail attachment via the url, you would be redirected to the gmail log in page.
- Hotmail, after signing out, if you try to access a hotmail attachment via the url, you would be allowed to download/access the attachment for about 5 minutes, later which the url returns a 400 Bad request.
- Yahoo mail, after signing out, if you try to access a yahoo mail attachment via the url, you would be allowed to download/access the attachment for about 5 minutes, later which the url returns a 500 Internal server error, and after some time, you would be redirected to the yahoo mail log in page.
Gmail, is perfect in it’s security implementation, in this case. Hotmail, and yahoo mail are not very perfect, though they both invalidate the attachment urls after 5 minutes or so, they still leave enough for an attacker to gain access to what they need via the attachment urls.
What I think is probably happening in case of yahoo mail and hotmail is, there is an access check mechanism that gets voids itself after 5 minutes or so, or the files are from a private could, when requested for download, they are accessible for download via some form of reverse proxy implementation, that voids itself after 5 minutes or so. I could only speculate. Anyways, the strategy is not consistent, strict enough, and falls short with today’s security standards.
Video Transcript: (draft)
Hi, In this video, I am gonna show you, how hotmail and yahoo mail are vulnerable to “Insecure Direct Object References”. Today is Thursday, 26 December 2013, and my name is Marudhamaran Gunasekaran.
If you’d like to learn more about “Insecure Direct Object References”, get on to the OWASP site – https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References.
What is Insecure Direct Object References? In short, this vulnerability – Insecure Direct Object References – means,
If you are not authorized to access a particular resource, then you should not be able to access that resource. If case you were able to access an un-authorized resource (because of poor access control mechanisms), then you have an Insecure Direct Object References vulnerability.
For the purposes of demo, I have 3 email accounts created, one in yahoo, one in gmail, and one in hotmail.
What I am gonna do is, send my self some attachments, an image file, and a text file, from my gmail to my hotmail and yahoo email addresses.
Later, I am going to open my inbox, in all of the three email accounts, and download all the attachments to my local computer.
I am going to go the downloads section, copy all the three download links, paste it on to my clipboard for later use.
So, you are logged in to your email accounts, everything is downloadable, just the normal behavior. But, you will notice in a while that the normal behavior is going to turn out to be an unexpected, and unaccepted behavior when I sign out from all these three email accounts.
Now, let’s sign out from all three email services, and paste those copied links, one by one, in to the Firefox’s address bar.
Gmail, redirects to the log in page, which the is the expected behavior. Secure and very smart.
Hotmail servers the image, after the user has been logged out, so does yahoo mail. Not secure.
To demonstrate, how long this image is served, or how long the download link is valid in hotmail and yahoo, I have written a custom JScript in fiddler to make requests to a URL at a specified time interval. (I will show you how to do write fiddler custom scripts in a separate post).
I am going to request all these three URLs, one by one, at an interval of 15 seconds each.
What you see is gmail sending you a 302 redirect to the login page, hotmail serving up the image, yahoo mail serving up the image.
I am going to pause the recording for a couple of minutes, till hotmail thows an error.
You could see in fiddler, that hotmail started spitting a 400 Bad Request, after a while. After the user has logged out, the file was available without any access check for an approximate time of 5 minutes (more or less) in hotmail.
You could see yahoo, still serving up that image. From my observation, yahoo errors out after a while, and after some time, yahoo redirects the user to the login page.
Now, you see that there is a good enough time window for anyone with the URL to download a private content, unrestricted.
This may not seem a ‘high impact’ vulnerability.
But, hey, what if I am an innocent user in a computer cafe, and after viewing/downloading my files, I safely log out my email sessions from yahoo and hotmail, I leave the place.
What if, the guy that comes next to same computer, in a minutes time is able to access the browser history and download my files, that should have been only private in the first place.
Thank you very much.