Yahoo recently patched three remotely exploitable vulnerabilities in its services that could have let attackers inject malicious script and led to session hijacking, phishing, among other nefarious tricks.
The vulnerabilities in Yahoo Mail, Messenger and its Flickr photo-sharing site qualified for bounties from Yahoo. To date, one has been paid through the HackerOne vulnerability disclosure program, a platform the company began using five months ago. To give researchers a new avenue to report vulnerabilities, companies such as Cloudflare and OpenSSL have also begun using the service over the last several months.
The first of the three, a persistent script code-inject vulnerability disclosed, affected Yahoo’s Mail web app and API. Until it was patched at the beginning of June, the hole could have let an attacker upload or attach their own malicious HTML files and send them to other Yahoo users. The main problem is that the app didn’t perform proper validation when it uploaded files. Instead, anyone who clicked on the HTML attachment just loaded the malicious script right away, something that could expose them to persistent client side attacks, phishing, redirects and user session hijacking.
The second problem the firm found was in a recent version of Yahoo’s chat application, Yahoo Messenger. The app lets users share photos, files, and chat but it was a problem with the way version 220.127.116.11 of the app handled SMS messages – it mistakenly processed malicious payloads – that was the issue here. The app validated all numbers, even invalid and malicious ones through a remote host. While the remote host (validate.msg.yahoo.com) acknowledged these with an exception the code was still executed, via HTML, in a new chat window.
Ateeq ur Rehman Khan, a member of Vulnerability Lab’s Core Research Team who found all three vulnerabilities, noted in a write-up of the Messenger issue on Monday that if a hacker wanted to, they could simply copy and paste a specially crafted payload that would bypass the chat app’s filter. That payload would go on to trigger code execution and much like the Yahoo Mail issue, lead to session hijacking, phishing, redirects and also open the app up to external malware loads.
The latest version of Yahoo Messenger now enforces validation input and forbids the copying and pasting of what it deems “malicious requests” in input fields.
The last vulnerability, disclosed on Sunday, plagued both the web app and the API of Yahoo’s Flickr service. The issue technically lies in Flickr’s ‘invite’ mail notification module and could let an attacker send an invitation to someone to use Flickr via email but let them manipulate the message’s body context.
While it may look like a normal invitation, an attacker could inject their own malicious script into the email and remotely exploit it on the application-side of the app. Like the other two vulnerabilities, if successfully exploited, the vulnerability could result in session hijacking, account theft, and phishing.
Yahoo patched the Flickr issue by implementing a secure parse and encode of the app’s vulnerable message body value input. It sounds as if going forward the app will prevent code execution for outgoing mails with vulnerable stored message content.
While the Yahoo Mail and Flickr issues took about eight months to patch – they were found last November – it took the Yahoo team nearly a year to patch the Messenger issue, which was first brought to their attention by researchers last July.
Khan reported all three bugs to Yahoo via its HackerOne vulnerability disclosure program, a platform the company began using five months ago. To give researchers a new avenue to report vulnerabilities, companies like Cloudflare and OpenSSL have also begun using the service over the last several months.
While Khan, whose name appeared on Yahoo’s bug bounty Wall of Fame before Yahoo switched over to HackerOne, points out that his bugs qualified for a bounty, at this time the sum of only one of them, the Flickr vulnerability, which had a reward of $1,000, has been disclosed.