When doing recon on Yahoo assets during Hackerone AWC 2023, I found a host
foo.bar.yahoo.com. I thought it must be some internal tool for engineers, few pages are listed but clicking on any of the pages redirects to Okta SSO. I found a bug during black box testing,
http instead of
https bypassed the Okta and the host was accessible.
- Check the hostname
foo.bar.yahoo.comon the wayback machine.
- Found an indexed page:
- Go to this page and it redirects to Okta SSO.
- Probe for
httpboth ports with
http://foo.bar.yahoo.com/page1/endpointalso got in results.
- Content-Length of both pages
- Go to
http://foo.bar.yahoo.com/page/endpointand the whole page was directly accessible.
The host is showing adtraffic. I tried to google these terms, ended up reporting to the team directly since the terms and results were out of my brain's scope.
- 14 March 2023 - Reported to Yahoo Team (via HackerOne)
- 15 March 2023 - Status changed to Pending Program Review by HackerOne
- 18 March 2023 - Triaged by Yahoo Staff
- 7th April 2023 - Rewarded
- 3rd May 2023 - Resolved
Causes of this finding:
I'm still curious to know how it worked. There are a few guesses I made on the reasons why it could have happened. I am still not sure why it worked this way.
- Access port 80 instead of port 443 and bypass Okta?
- Server misconfiguration while setting up SSL.
Future work: Research the cause by setting up Okta locally.