Single vulnerability to cause stored XSS in Yahoo, Flickr, Google, Twitter, Amazon, Youtube, Pinterest and more

Hello, In my last research with Y! Toolbar and Flickr I was able to identify and report a few vulnerabilities to Yahoo. Keep in mind that before starting this research as I was installing a few things on my new box, I had accidentally installed Y! Toolbar on chrome (so my Windows box has chrome, but not my linux box). While poking around Flickr to find a few vulnerabilities, I had set a few titles as different XSS payloads which in the past had never worked but suddenly something was triggering the XSS payloads (keep in mind that I wasn’t able to reproduce my own vulnerabilities on my linux box). So what was causing these to suddenly work ONLY for me?

With the help of Olivier Beg, we were able to identify Y! Toolbar to be root of the problem and causing XSS in multiple components of Flickr:

 

A few days later (since I had not heard back from Yahoo! yet), I decided to go back and see If I can find more XSS caused by Y! Toolbar (maybe on other Y! services) and was able to get Y! Toolbar to trigger my XSS payloads in Yahoo’s Shopping services and Y! Answers:   Now here’s where it all gets better.. If Y! Toolbar is main cause of these problems, Will I be able to get the same results under the same circumstances but on other websites? The answer to that is YES. By simply doing a google search with an XSS payload I was able to get the following results:

Google:

YouTube:

Twitter:

Pinterest:

Amazon (Not sure why I didn’t include the whole picture when I took a screenshot)

 

Here’s a video demonstrating a few of these:

Impact and attack vector:

Who’s affected by this? Any one using Y! Toolbar could simply get their Yahoo, Google, Youtube, and other services hijacked by visiting any of those websites containing an XSS vector. Since these are highly reputable websites, it makes it easier for attackers to hijack accounts due to the fact that reputation and websites that contains a malicious code designed for an attack.

How can you prevent that from happening?

Update your Y! Toolbar to the latest version (if it hasn’t been done automatically already) or remove Y! Toolbar.

Timeline:

05/17/2014 – Initial Report

05/22/2014 – Triaged

05/30/2014 – Updated Y! Toolbar (no longer able to reproduce the issue)

06/05/2014 – Closed

 

This post has been viewed [post_view] times

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>