Maybe I’m feeling like a victim, and quite possibly Yahoo have done nothing wrong. But I’ve heard many cases about Yahoo and how they deal with security, and in my personal experience, it isn’t pretty. Today, I will be releasing a conversation between me and the Yahoo Security team about an open redirect vulnerability. It is on the top 10 of OWASP’s threats and should be well known for any security team. Before anyone goes mad because I’m publicly disclosing a vulnerability, well, I’m not. It has been removed mysteriously and I’ve had a message back saying they suddenly cannot reproduce the vulnerability I had encountered. What a funny situation we have here, so let’s trawl through the break up of me and the Yahoo Security team, prepare, it ain’t a pretty one.
The title isn’t very good, I apologise I don’t have any catchy names that come to mind, but hey, it’s Sunday! I was looking through VirusTotal shifting through the god awful comments; yes, to VirusTotal community, pull yourself together with comments. #malware doesn’t help anyone. At all. When I find this fairly interesting address, seems like someone didn’t put an index here..