Bug bounty write-up: Reflected cross-site scripting in Yahoo’s Contextual Ads search

I decided to start this blog by writing a post containing a technical write-up of my first (and last) attempt to participate in the bug bounty program promoted by Yahoo!.

In this post I will share technical details on the reflected cross-site scripting vulnerability I discovered around 8 months ago as well as vent about my frustration in dealing with their bounty program.

First things first

After reading several write-ups in blogs and HackerOne reports and realizing how most of the vulnerabilities reported, including the ones that allegedly netted the bounty hunter good payouts, were not hard to find and was something I could definitely do, I decided to jump on the bug bounty bandwagon and see for myself how long it would take to claim my first bounty.

Noticing that Yahoo! was vulnerable to every sort of vulnerability one can imagine and admittedly it has an enormous attack surface on both *.yahoo.com and *.yahoo.net, I decided it would be my first target.

Surprisingly, after focusing on a single target URL to dedicate my bug hunting efforts on, it did not take more than 5 minutes to discover a reflected cross-site scripting in the search field of Yahoo’s Contextual Ads.

The vulnerability

It was discovered that the application did not escape or encode double quotes (“) and this could be leveraged to close the value of the field ‘value’ within the ‘s’ input, and with this inject user-supplied data with the intent to modify the contents of the input tag. In order to exploit the issue, one should close the input and append a JavaScript event to the tag.

<form id="searchform1" name="searchform1" action="http://contextualads.yahoo.net...
<input name="s" type="text" onClick="this.value='';" class="textbox float-left"
value="TestUSER-SUPPLIED INPUT COMES HERE""" id="searchbox1" />;

<input type="submit" class="sbb float-left" value="Search" />

As mentioned earlier in this paragraph, the application did not escape double quotes. We have the perfect conditions for pulling a reflected XSS exploit:

trigger-yahoo-xss

lo and behold…

yahoo-xss

Bang! Not bad for a 5 minute cursory look at a Yahoo! website.

Yahoo!’s poor response to the report

After the discovery of the issue I put together a quick, but well explained, write-up, along with relevant screenshots, and submitted it through HackerOne. Then I waited, I waited and I waited…

More than a month after the report was filled, I got a reply back from Yahoo! acknowledging they received the report and the bug was being triaged. Then I waited some more… three months have passed and no contact from Yahoo! again. So I decided to chase them by sending a message every couple of weeks to learn about the status of the report and whether they found the vulnerability to be eligible for a bounty.

Six months have passed. In the meantime I noticed the issue was fixed but I was not given any heads up about it.

Shortly before Christmas 2014, eight months since the bug report, Yahoo! finally got back to me to say the bug was not eligible for the bounty because *.yahoo.net domains are considered out of scope. I honestly couldn’t remember seeing this anywhere when I started hunting, but oh well…

In the end, regardless of the validity of the vulnerability for the bounty program, it is unacceptable for a bounty program to take nearly one year to respond to a vulnerability report. This left me with a bad impression about Yahoo!’s bug bounty program and I am definitely not taking part on it ever again. I can only hope other researchers had better experiences.

Advertisements
Bug bounty write-up: Reflected cross-site scripting in Yahoo’s Contextual Ads search

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s