I have started my bug bounty adventure with Yandex – a company which owns the largest search engine in Russia.
Their key services (more paid) are: Yandex.Passport, Yandex.Mail, Yandex.Disk, Yandex.Maps, Yandex.Calendar, Moi Krug, Yandex’s home page and search results page, so I gave it a try. I was lucky enough to find a XSS in Http Cookie Header in mail.yandex.ru.
The vulnerable cookie variable was “yandexuid”, so it could be malformed to look like:
yandexuid=XXX<script>alert(document.cookie)</script> (where XXX is your ID)
After refreshing your mailbox an alert window popped up.
Damn, it’s addictive.
Timeline:
[March 17th 2013] - bug was reported [April 24th 2013] - bug was fixed