b3hr0uz Posted May 19, 2014 Report Posted May 19, 2014 Hello. Normally I don’t write a write-up for XSS vulnerability; however this XSS was a bit different because it affects 100s of Yahoo! subdomains. After my SQL Injection on the HK sub-domains, I decided to actually start focusing on the more major sub-domains of Yahoo, and as a result I was able to XSS quite a few of Yahoo’s services.Here are a few to name:TravelFoodAutosSecurityDeveloperNewsWeatherShineShoppingCelebrityTVVoicesHomesMusicFinanceCricketThe list doesn’t stop there. This vulnerability affects all of Yahoo’s services where a user is able to make a comment including the list above in other languages as well.Now the question is: Was this a self XSS or did it get stored somewhere and get presented to other users? The answer to that question is… BOTH!The Research:Now how is this possible and what was the process for all of this?So in the beginning of the research I decided to poke around the “Tech” services of Yahoo, found a comment section and decided to comment on thispost:and give it the following string:“><img src=x onerror=prompt(1);>Which left with me the execution of an IMG ( “> ) tag but no prompt. So I decided to try a few more other strings and that led me onto using HTML entities and changing it to the following format:"><img src=x onerror=confirm(1);>Now what? Voila! We get the famous confirm(1) to popup:But how does this explain the XSS on all of Yahoo services listed and more?! Well the tech blog wasn’t the only place that had a comment section. Many of Yahoo’s services have a comment section. Some use the same exact comment platform as the one on “Tech” and “Travel” and some have a different comment platform, like the one on Sports, weather, and finance, BUT they both store the comments in a tab under “My Comments” -> “All Comments” and you will see the stored self XSS there. The “Self XSS” could also be engineered to be seen in the “Most recent” or “Most discussed” topics to execute an run the specific XSS string.Why is this a critical vulnerability?(Attack Vector)The websites which use the same platform as the attached video (same as the one on the tech, food, and the travel services) will store the string and present it to anyone visiting the post containing the comment. So with a sample bot and as easy copy/paste, we could post a comment containing a malicious code to hijack the visitors/emails’ session/cookie. We could also simply target a specific user by linking them to a post containing a comment with a malicious code by the attacker.Who’s affected by this Vulnerability?Thousands (if not millions) of users use Yahoo and Yahoo Mail in 65 countries supported by Yahoo. Each Yahoo International/country domain (Such as Hong Kong, Taiwan, Netherlands, India) uses one of the 2 comment platforms in their daily blog such as (news, food, tech,sports, and etc) which get thousands of Yahoo and Non-Yahoo member visitors daily and could have been a target to this vulnerability. Demo:Here’s a short video describing the attack just to show a few other sub-domains that were effected by this vulnerability:https://www.youtube.com/watch?v=3E80IDj0X_EBehrouz Sadeghipour5/25/2014Timeline:04/29/2014 – Initial Report04/29/2014 – Triaged04/30/2014 – Comments section disabled on Y! Services05/02/2014 – Patched but no update05/16/2014 – Resolved and granted permission to publish Quote
