Intro

Seems it’s time to disclose 21 zero day XSS on Yahoo.
I do not break any rules, any laws of any country (I hope lol) posting this to public (Yahoo officially said that they need only 90 days to rollout fix for any vuln, please visit https://hackerone.com/yahoo – Yahoo’s bugbounty rules). This vuln affect 21 different Yahoo domains and not fixed for a one year.

I reported this issue 9 months ago (https://hackerone.com/reports/77385), tried to bump it but no luck. They said that my report is dup of https://hackerone.com/reports/54625 (reported at ~march 2015).

Main purpose of this post – just pay attention of Yahoo security team to this ticket again (and finally fix!).

XSS

Facts:

  • Reflected
  • Works only in IE (tested in IE 10/Win 7; Should works in 7,8,9)
  • Bypassing IE XSS filter

Based on https://twitter.com/Black2Fan technique that helps to inject XSS payload into HOST header of user’s requests (read more here).

PoC: https://sergeybelove.ru/exploits/yahoo_ie.php (IE only! Just inject H1 tag)

Screen Shot 2015-07-21 at 10.54.58 PM

Screen Shot 2015-07-21 at 11.00.50 PM

This XSS caused is by balancer and… affect other domains! I wrote a simple scanner:

For mass checking and found that other domains (include flickr.com) also vulnerable:

Why 21? Some other domains like mail on first screen should to be checked manually.

One more fact: I added check for XSS thru HOST header to my small and free one-button-scan – http://sergeybelove.ru/one-button-scan/

P.S. I found exactly same vuln on wikipedia and they fixed it just in few days – feel the difference.

UPD: BlackFan twitted that he reported this issue 2 years ago! And it was a dup
H1 report by BlackFan

February 28th, 2016

Posted In: bugbounty

10 Comments

Bug Bounty—vulnerability reward programs for vendors—become more and more widespread. And sometimes, vulnerabilities search detects some evidently insecure areas (e.g., self-XSS) the threat of which is hard to prove. But the larger (or even the smarter) is the vendor (e.g., Google), the more willing it is to discuss, to detect the indicated vulnerability and to reward if successful. This article is a collating of complex situations and the ways to prove a threat and to make the Internet more secure.

(more…)

December 9th, 2014

Posted In: bugbounty

Leave a Comment