Steal Yahoo Crumb By Combining Missing-Iframe and Noscript Tag

Few months ago, while testing some html, I was noticed by a straight behaviour in Firefox.

If you disable javascript and open a website, the content inside <noscript> tag does not render as html.

Yahoo use crumb as a token to validated that the request is valid and trusted. You can fetch personal data with this value.

Luckily, I knew that Yahoo put crumb (a type of user token) as a parameter in logout url in <noscript> tag.

What’s next ? Find some Yahoo domain that missing Iframe header, and luckily (again), I got some domain after few minutes.

By combining my lucky, this code help me do the rest

<iframe id='inneriframe' scrolling=no src="https://safety.yahoo.com/poll/entry." sandbox="" />

So ? Time to get some bounty !!  (awarded $x00)

POC video here.

If you are interest, here is another article related to this bug 😀

https://medium.com/@0xHyde/yahoo-two-xssi-vulnerabilities-chained-to-steal-user-information-750-bounty-e9bc6a41a40a

A&C

About the Author

A&C

Thanh niên ham chơi hơn ham học, thích bay nhảy hơn đi mần, tinh thần giao lưu kết bạn nhưng ngại tiếp xúc. Mong manh khó vỡ, ảo tưởng sức mạnh >:)

Follow A&C:

Leave a Comment: