Looks like YAHOO just released a new feature in their Yahoo India maps, a feature that lets you find driving directions for India. The Yahoo India Maps sure is getting better than its Google counterpart, at least for India. As always, curiosity got even of me, and I started probing various internals of the site. On the whole, the security in the site was impressive, and the script injection that I had earlier found was also fixed. There was also this new SMS feature, and the design of this feature was the one that impressed me the most.
First things first, here are the details of how the script injection was fixed. The script injection was in the print page, and the reason it occurred was that the JavaScript code in the page executed as soon as the page loaded, and did not validate inputs. The change that has fixes the injection is that the server now handles all requests, and the input checking is far better now.
I tried other places where I could potentially insert scripts, but all other places displayed had input obtained and sanitized by the server.
The SMS part was the most interesting. The functionality says that you can select two places, get driving directions between them, and can also get it on SMS to the mobile phone in India. A little trace on that and I realized that it was a simple URL get with the message, the phone number and a signature for the message. Now that was the interesting part. To prevent message spam, every message at the browser is signed. The URL receiver at the server side verifies the signature before the SMS is actually sent. As the signature and the message, both arrive from the server, the client cannot really mess around with the contents, thus preventing spam SMS to users. As of today however, replay is still possible as the signature does not seem to have time as a factor.
Hence, any user can hit a URL multiple time. The URL happens to be something like http://in.maps.yahoo.com/php/ymi_send_sms.php?phnum=
multiple times to send message spams !!
This can be fixed however, but I am not sure that including a time frame for the signature can actually solve the problem of replay. Something simpler like captchas for messages that are re-sent to the same mobile number seems a more practical solution . So, right now, you can hit the browser reload a million times with the proper URL, and the SMS reciever is sure to get a little irritated.
To conclude, it sure looks like the entire Yahoo India Maps has got a face lift. It is a lot better in design over the previous time, and unfortunately, I have not found any hacks yet. Congratulating the maps team, I am back to my work to see if I can get lucky to hit atleast one vulnerability !!!
