A Romanian bug hunter has discovered a “blended threat” targeting Yahoo’s Developer Network Web site that allows unauthorized access to Yahoo users’ emails and private profile data.
At a security conference Sunday, Sergiu Dragos Bogdan demonstrated an abbreviated version of an attack using the YQL console on developer.yahoo.com. Yahoo Query Language is the company’s proprietary programming language and used to test queries against Yahoo databases. Authenticated users also can access tables with their own Yahoo account data, such as e-mails and profile data, to mount queries.
According to Computerworld, Bogdan showed how an attacker could abuse a feature on the site by loading a specific URL inside an iframe that returned the visitor’s “crumb code” — session- and user-specific authorization code generated when someone visits the YQL console page.
“However, security mechanisms built into browsers don’t allow code running in the context of one domain name to read content from a page hosted on a different domain that was loaded inside an iframe,” according to the news article. “This means that while the visitor himself can see the crumb code on the attack page, thanks to the iframe being loaded in his browser, the attack page itself can’t read the code or automatically use it to make authenticated YQL queries using the victim’s Yahoo session.”
To get around this, the security researcher used a fake CAPTCHA test to generate a YQL query that could divulge the user’s Yahoo email account and private profile data.
“Since the crumb is actually a string of random numbers and letters — for example “y5XAjn1fKIQ” — Bogdan built a fake CAPTCHA test on the attack page and made it appear as if the crumb displayed in the iframe was actually the CAPTCHA challenge string that the user had to input in order to solve the test. By solving the fake CAPTCHA, the user was actually authorizing a YQL query to be made in his name.”
Another step is needed to actually read the emails — a step Bogdan did not disclose to the conference audience.
Bogdan, who had yet to share his discovery with Yahoo, recommended the company mitigate the vulnerability by not permitting unauthorized third-party Web sites from loading pages inside an iframe using the developer.yahoo.com domain.