Security researcher Behrouz Sadeghipour has identified several SQL Injection vulnerabilities in a Hong Kong subdomain of Yahoo. He reported his findings to the company and all the security holes have been fixed.
According to the expert, the flaws have been found in various files on the Hong Kong promotions subdomain (hk.promotions.yahoo.com).
He decided to analyze this subdomain because it contains a lot of Flash files and PHP scripts that could be vulnerable, and it doesn’t appear that the pages have been created by Yahoo’s core developers.
Furthermore, since the pages are in Chinese, it’s likely that they’re ignored by many auditors.
The expert has managed to identify a total of eight vulnerable files. Following his analysis of the Yahoo HK promotions subdomain, Sadeghipour sent 5 reports to the company.
The list of pages on which he found SQL Injection vulnerabilities includes the Emotive2012 page, the Nikon Photo Itinerary page, and the Education page. By leveraging these bugs, the researcher managed to gain access to names, email addresses and other information.
Yahoo addressed the issues within a month after being reported. The expert has told me that the company has removed the vulnerable files.
As some of our readers might know, this isn’t the first time Sadeghipour finds serious vulnerabilities in Yahoo’s Hong Kong subdomains. Last month, he identified a remote code execution flaw.
At the time, he found an administrator panel for the hk.yahoo.net subdomain that could be accessed with admin/admin credentials.
For additional details on the SQL Injection vulnerabilities found in Yahoo, check out Behrouz Sadeghipour‘s blog. You can also check out the proof-of-concept videos he made for a couple of the flaws: