Security Experts:

Yahoo Toolbar Causes XSS for Major Online Services: Researcher

Yahoo has fixed a bug in Yahoo Toolbar that generated a stored cross-site scripting (XSS) vulnerability in several important online services.

 The issue, identified by California-based security researcher Behrouz Sadeghipour, affected not only Yahoo services, but also Flickr, Google, YouTube, Twitter, Amazon, Pinterest and many others. Sadeghipour discovered the Yahoo Toolbar flaw when he realized that some of the XSS payloads he had previously set were all of a sudden triggered only on a computer which had the application installed.

Initially, the researcher thought only Flickr was affected, but since Yahoo hadn’t responded to his reports, he continued performing tests. That’s when he realized that Yahoo Toolbar triggered the XSS payload on numerous popular services.

“Anyone using Y! Toolbar could simply get their Yahoo, Google, YouTube, and other services hijacked by visiting any of those websites containing an XSS vector. Since these are highly reputable websites, it makes it easier for attackers to hijack accounts due to the fact that reputation and websites that contains a malicious code designed for an attack,” Sadeghipour explained in a blog post.

Yahoo was informed of the vulnerability on May 17, and fixed the issue on May 30 with the release of a new version of the toolbar.

Sadeghipour told SecurityWeek that he only managed to conduct tests on Chrome because Yahoo addressed the bug before he could try to replicate the results on other Web browsers.

This isn’t the first time Sadeghipour has found XSS vulnerabilities affecting Yahoo services. In May, he identified an XSS flaw impacting the comments section on hundreds of Yahoo pages. An attacker simply had to post malicious code as a comment and it would get executed whenever someone accessed the page containing it.

POC Video is embedded below:

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.