XSS in mail.yandex.ru

I have started my bug bounty adventure with Yandex – a company which owns the largest search engine in Russia.

Their key services (more paid) are: Yandex.Passport, Yandex.Mail, Yandex.Disk, Yandex.Maps, Yandex.Calendar, Moi Krug, Yandex’s home page and search results page, so I gave it a try. I was lucky enough to find a XSS in Http Cookie Header in mail.yandex.ru.

The vulnerable cookie variable was “yandexuid”, so it could be malformed to look like:

yandexuid=XXX<script>alert(document.cookie)</script> (where XXX is your ID)

After refreshing your mailbox an alert window popped up.

Damn, it’s addictive.

Timeline:

[March 17th 2013] - bug was reported
[April 24th 2013] - bug was fixed

Leave a Reply

Your email address will not be published. Required fields are marked *