XSS in mail.yandex.ru

I have started my bug bounty adventure with Yandex – a company which owns the largest search engine in Russia.

Their key services (more paid) are: Yandex.Passport, Yandex.Mail, Yandex.Disk, Yandex.Maps, Yandex.Calendar, Moi Krug, Yandex’s home page and search results page, so I gave it a try. I was lucky enough to find a XSS in Http Cookie Header in mail.yandex.ru.

The vulnerable cookie variable was „yandexuid”, so it could be malformed to look like:

yandexuid=XXX<script>alert(document.cookie)</script> (where XXX is your ID)

After refreshing your mailbox an alert window popped up.

Damn, it’s addictive.

Timeline:

[March 17th 2013] - bug was reported
[April 24th 2013] - bug was fixed

Dodaj komentarz

Twój adres email nie zostanie opublikowany. Pola, których wypełnienie jest wymagane, są oznaczone symbolem *