Yahoo has addressed a cross-site scripting (XSS) flaw that, prior to May 2, existed in the commenting platforms utilized by most of its services, including travel, food, tech, security, news, TV, music, shopping and weather.
The vulnerability – which could enable information theft by simply posting a piece of code into the comments sections of the aforementioned Yahoo websites – was discovered by Behrouz Sadeghipour, an independent researcher known for hunting down bugs in popular services.
“An attacker could inject a malicious script, which could be used to obtain session tokens, cookies and other sensitive information stored in the users' browser that is associated with Yahoo,” Satnam Narang, a Symantec researcher familiar with XSS flaws, told SCMagazine.com on Monday.
In a Friday post containing proof-of-concept videos, Sadeghipour is shown posting a piece of code, designed to prompt a popup dialog box, into the comments section of a Yahoo website. The popup box is presented in the browser when the code is viewable, and is shown to do so on international Yahoo sites, as well.
“In the proof of concept, it shows the researcher leaving a comment on the page, which stores it in a database, thereby making it persistent, or stored,” Narang said, explaining that this interesting because most XSS attacks are non-persistent.
Sadeghipour published his research after Yahoo issued a fix and granted him permission to discuss it publicly. In his post, Sadeghipour explained that Yahoo disabled the comments sections on April 30, a day after he initially reported the XSS flaw, and the internet corporation fixed the issue by May 2.
“Prior to being patched, [this would affect] any user who visited pages on Yahoo.com that use a specific commenting platform on articles that had been targeted by an attacker,” Narang said. “A really popular article on Yahoo that garnered a lot of views or comments would be a potential target for an attacker.”
Yahoo did not respond to a SCMagazine.com request for comments.