yahoo


Intro

Hi Guys, This is my first blog post so pardon me for mistakes. I found this bug way back in 2014 when Yahoo’s bug bounty was launched on Hackerone. Yahoo have a huge scope of under their bug bounty program.


Details

URL: https://tw.user.bid.yahoo.com

POC

https://tw.user.bid.yahoo.com/tw/uconfig/multinpbremind?.done=javascript:alert("XSS")


I normally started by enumerating sub-domains and found Yahoo’s Taiwan services. There were multiple sub-domains each having different services. One of them was tw.user.bid.yahoo.com. I went to profile section on that sub-domain and while saving some changes a new page loads with confirmation of changes made. I noticed a parameter .done in URL bar which has value equals to homepage of that sub-domain. The page has a finished button which takes to the homepage after saving changes

I tried to get an open URL redirect by providing an arbitrary domain but it didn’t worked. After that I replaced the value with javascript:alert("XSS") and when pressed the button finished the popup appeared. I immediately reported it to yahoo team and they patched the bug.


Impact

Interestingly to get the XSS work there was no need to make any changes to the profile section but simply opening the confirmation page with injected payload in the parameter did the job. So, this bug can be used to steal session cookie. And then the sub-domain contains some sensitive info credit card details which was used to make bids on different products.


Timeline

  • Found and reported – 07/10/2014
  • Triaged – 07/12/2014
  • Fixed – 07/23/2014
  • Bounty Awarded – 09/11/2014