Yahoo two XSSI vulnerabilities chained to steal user information (750$)

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 22 hours ago · bug-bounty
quality 7/10 · good
0 net
AI Summary

A researcher chained two XSSi (Cross-Site Script Inclusion) vulnerabilities at Yahoo to steal user account information by extracting a valid crumb token from a dynamic JavaScript file and using it in a JSONP endpoint request, earning a $750 bounty.

Tags
xssi cross-site-script-inclusion jsonp same-origin-policy information-disclosure credential-theft yahoo bug-bounty web-vulnerability javascript
Entities
Yahoo Burp Suite JSONP https://messenger.yahoo.com/embed/app.js https://jsapi.login.yahoo.com/w/device_users
Yahoo — Two XSSi vulnerabilities chained to steal user information. ($750 Bounty) | by hyde - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Yahoo — Two XSSi vulnerabilities chained to steal user information. ($750 Bounty) While intercepting requests using Burp Suite I noticed the following request: hyde Follow ~3 min read · July 29, 2018 (Updated: August 1, 2018) · Free: Yes When I saw that this was a JSONP endpoint I immediately knew this could potentially be an XSSi vulnerability. However, I noticed that if the value for the .crumb GET parameter wasn't valid it would return the following response: At this point I realized that if I could somehow steal the victims valid .crumb value, I could successfully steal information about their account. I then searched all requests I intercepted in Burp Suite for my valid crumb and I quickly found it in in a dynamic Javascript file located at: https://messenger.yahoo.com/embed/app.js If you go to this page now you will not find the logoutCrumb value since they have patched this issue. However, when I initially discovered this issue the file looked like this: Now, for people that don't understand how XSSi works the vulnerability essentially takes advantage of Same-Origin Policy (SOP) not being applied to Javascript src attribute within the script tag. I then created the following Proof of Concept which steals the valid .crumb value from the dynamic Javascript file at https://messenger.yahoo.com/embed/app.js and then places the valid crumb in the .crumb GET parameter as seen here https://jsapi.login.yahoo.com/w/device_users?.crumb=POR1.kRjsx. which returns a proper response containing information about the user. Using the code below I was able to extract information: Yahoo XSSi PoC

Proof of Concept

Dataset 1:

Dataset 2:
Below is a screenshot of the payload I submitted to Yahoo and received a $750 bug bounty. Overall, I had a great time developing the Proof of Concept for this vulnerability chain and I hope others are able to learn a thing or two from this write up. #javascript #information-security #web-application-security Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories