Two security researchers notified the company of the same bug

Jan 13, 2014 13:59 GMT  ·  By

Security researcher Stefan Schurtz has found an open redirect vulnerability on Yahoo’s ads.yahoo.com domain. 

Schurtz said he notified Yahoo about the security hole in mid-December. However, Yahoo hasn’t fixed the issue and hasn’t provided any feedback, except to say that open redirects are no longer included in the bug bounty program.

The researcher says the “piggyback” parameter on the domain can be abused to redirect users to arbitrary websites. Such vulnerabilities are highly valuable for phishing and other attacks.

Interestingly, another security expert, Kenneth Belva, explained on the Full Disclosure mailing list that he reported the exact vulnerability to Yahoo on November 21, 2013. He has confirmed that the bug remains unfixed.

Schurtz claims to have reported two other vulnerabilities to Yahoo, but those haven’t been patched either.

It’s worth noting that the ads.yahoo.com domain has been abused recently to serve malicious advertisements to the visitors of yahoo.com.