+92 303 800 1800   

Persistent XSS Vulnerabilities in Yahoo

I received some gadgets and T-shirts from Yahoo. Why? Here is what I did. I found Persistent XSS (Cross Site Scripting) Vulnerabilities in Yahoo Calender.

Steps to Reproduce XSS Vulnerability in Yahoo Calender

1: I Logged into Yahoo Account and Navigated to Calender.
2: Created two Calenders.
-On left hand side, (you will find option to Create new Calender)I named them as Calender 1 and Calender 2.
3: Created a new event and filled the rest of things, but Location Field was the vulnerable one, so I used a payload for that field.
And clicked SAVE the event.
4: Then I  re-opened the event, nothing happened 🙁
I edited it, moved it to different calender. And re-opened the event. That’s it! I got T-Shirt  in pop-up :D. It was stored one, so whenever I opened the event, the results were pop-up, the same.
Steps to Reproduce XSS Vulnerability on Yahoo Site via Yahoo Mail
For this I used two email accounts. One should be Yahoo Account and other can be from any other or Yahoo as well.
1: I sent an email to my Yahoo Account and in subject field I used a payload to execute the alert message.
2: Logged into Yahoo Account, and then navigate to any local site of yahoo. For example: http://au.yahoo.com/
— The alert was executed on Yahoo site in which it allowed Latest emails preview.
3: Once the site is loaded, it will also load emails, and so the alert message will be executed as soon as it will load the email which was sent with the payload in subject field. To verify, I rechecked the subject field from the main site (not in mail.yahoo.com) and it was just “> and rest of code wasn’t shown that means it took the payload as an injection.
 
I reported the vulnerabilities in time to Yahoo Security team, and they were very quick at fixing it.
This is first time that I am writing an Article about my findings on XSS (Cross Site Scripting). I hope this will be helpful, especially for the beginners like me into the field of Web Application Security Researching. As I said the XSS Vulnerability has been reported to Security team, so fixed well in time.
Updated– Recently Yahoo has started Bug Bounty program, and now they are rewarding monetary rewards as well as HOF. As my findings were before the bug bounty program started by yahoo, so I think to get listed in HOF, I need to get back to Yahoo once again 🙂
© 2018. All Rights Reserved!