Yahoo! Susceptible to Cross Site Request Forgery (XSRF) Attacks

Many organizations offer Mobile and WAP enabled flavors of their web applications. These applications may appear to have restricted functionality, but a security vulnerability in these applications can allow malicious users to launch attacks whose implications may propagate to the main applications. For example, a persistent XSS issue that may be present in the mobile version is likely to show up in the full-fledged version of the application (Cross-Application-XSS).

Businesses seem to derive a false sense of security from the fact that these “mobile” web-sites execute lower amount of transactions than the full-fledged version: it is thus incorrectly assumed that the security risk posed by the mobile version is lower. This is an incorrect assumption because vulnerabilities present in the mobile version of the application can easily propagate to the main application. Consequently, these applications are not held up to reasonable security standards causing the business and it’s customers’ data to be at risk.

This seems to be the case with Yahoo! Their “mobile” version is available at http://us.m.yahoo.com/. The Yahoo IM service and the Calendar service exposed at this location are vulnerable to XSRF (Cross Site Request Forgery).