Cenzic 232 Patent
Paid Advertising
web application security lab

Yahoo XSS Vuln

To quote digi7al64 “With all the recent stuff surrounding google i thought i would check out how secure yahoo was in comparison… cause I have never really bothered to audit the domain so to speak. anyways within 5 minutes i had my first xss” and indeed he did:

Click here to see the XSS in yahoo for yourself. It’s true, I tend to talk about Google more than other sites primarily because of how much traffic they get through their search engine as a percentage. But yes, all major sites tend to be plagued by XSS among a plethora of other web application security issues. The greater the interdependencies between each application and the greater the complexity of the application the more likely it will have flaws.

I know we’ve all heard the statistics about how many vulnerabilities per line of code there is, but I don’t think this statistic is accurate and I don’t think it applies well to web applications in particular. It would be interesting to get the statistics of how many holes there tend to be in web applications per line of code. My bet is it would be higher than almost any other application due to the way people tend to build web apps. The web is only growing my friends.

8 Responses to “Yahoo XSS Vuln”

  1. Awesome AnDrEw Says:

    I’m still curious to see which bullshit useless sites attract massive amounts of visitors (like the current MySpace fad) in the near future. Judging by the current trend I’d say it’ll be a poorly coded site with little functionality, a lot of security holes, little to offer (both literally and in terms of technology), a massive horde of pre-pubescent or insecure, despondent teenagers, and will most likely be a ripoff of an existing site (as MySpace was essentially a INSERTRANDOMADJECTIVE Journal clone).

  2. t3rmin4t0r Says:

    A security bug logged … let’s see what happens

  3. zeno Says:

    Seriously, is it needed to publish an xss vuln in every major site? Google and yahoo I’m sure have 50+ to be found.

    I don’t know about the majority of this sites readers, but I’d rather see newer uses and or evasion methods than ‘big site X vuln’ because it just isn’t surprising or even news anymore unless you got some local zone context or new twist.

    - zeno
    http://www.cgisecurity.com

  4. digi7al64 Says:

    @zeno

    Web Security is just as much about awareness of current issues as it is about all the new stuff.

    For me, this is about the #1 website in the world (according to Alexia) and within 5 minutes of deciding to look for a xss vulnerability i have one which was within the .com domain. i then decided to go for child sites, the .it, no. co.nz etc and within 3 hours i had found vulnerabilities (albeit not the greatest ones) meaning i had successfully found xss vuns for almost every version of Yahoo.

    Does it count as being newsworthy? I think so. Is rsnake over doing, no…. this is only the 2nd xss he has published in his blog in relation to yahoo and frankly the only reason i bothered to go after yahoo was all the Google bashing going on.

    So in essence, the news isn’t the xss. the news is that any time we want we target a major site for xss, we can, and we can be successful. maybe that isn’t big time or new, but to the millions of people that use these services I sure it counts for something and if it ain’t posted here, who is going to post it?

  5. Jungsonn Says:

    The most striking thing with such ”new apps” they build, is that they tend to leave them unsecured in most cases. I personally think it has to do with several departments which work indepently, the other not knowing what the other did to secure these things in the past.

    It’s definitly newsworthy.

  6. Wladimir Palant Says:

    I found a few XSS holes in Yahoo myself (posted them in the same thread). My conclusion is that the comparison between Yahoo and Google is not in favor of Yahoo. Google’s code is quite uniform, I can see that there are some company-wide security policies and thorough code review - if they screw up it is usually in some obscure places, finding XSS there isn’t easy. On Yahoo however the quality varies a lot, there are some good and some bad web apps there. I have seen a dozen different approaches to security, some of them very insufficient, some tend to corrupt perfectly valid input data. And in lots of places you see debug code that can be abused if you only try hard enough. If XSS holes in Yahoo aren’t published all the time it is only because nobody bothers to look.

  7. RSnake Says:

    Looks like this one is now fixed. Good job, Yahoo!

  8. Doug Says:

    My Yahoo email has just about been rendered unusable because of XSS. I can not open attachments and every message has the following in it. “http://ca.f450.mail.yahoo.com/ym/ShowLetter?” I also hvae been reported for having a high activity of messages going out. Yahoo does not respond to any of my crys for help.