Posting on Behalf of any user/Without joining posting on Yahoo groups.
This was a interesting issues that I have ever found.After watching Zahid Ali’s and Asadul Islam findings I was trying to find similar issues on so many site.After trying and trying I found Yahoo is soo much vulnerable to this bugs.
I tried to find this bug on Yammer,Google classroom, Google Hangout,Facebook and Google groups.I had discovered this bug few of them.
In Yahoo they using a system that every group had a group reply email with own group name and that is the key point of this vulnerability.And I use a smtp server to reply anonymously to that groups.
e,g: example@yahoogroups.com
Here is the details reproduce steps:
1.First Go to https://groups.yahoo.com/ and create a group with any topic, make sure that you have made the group public.
2.Now send invitation to any user and you will be notify via mail.Invitation send to anymail@yahoo.com use here Skylinearafat@gmail.com as a test account.
3.Go to linux terminal for the next steps:
Test Group Email address :
bugsee@yahoogroups.com
Put the below Terminal command and hit enter.
sendemail -f Skylinearafat@gmail.com -t bugsee@yahoogroups.com -u Hello -m testing -s mail.smtp2go.com:2525 -xu engyeasirarafat127@gmail.com -xp pPFvrfHYLLku
Details:
-f command means (From).My test account is Skylinearafat@gmail.com
-t command means (To). That means group email address bugsee@yahoogroups.com
-u command means subject.we can igonre that as this is not necessary.
-m command means message.This is where I will write message/comment.
-s command means server.As we are using smtp2go server so the server location
will be mail.smtp2go.com:2525
-xu means smtp2go user name.Mine is engyeasirarafat127@gmail.com
-xp means sptp2go account password.mine is pPFvrfHYLLku
After hit the enter button comment was appears.Lack of time I can’t explain more.For more watch the poc(proof of concept) video.
Yahoo has been fixed this issue.
Yeasir Arafat
Bangladeshi Bug Bounty Hunter
