Both security issues are located under a vulnerable flash player - JW Player (discovered by Neal Poole on April) that can be used to inject a XSS vector.
This type of attack could be used to trick innocent users, infecting them with malware and even get their accounts hijacked using the name of Yahoo.
Proof-of-concept:
#1 http://especiales.yahoo.net/turismo-de-tunez/wp-content/themes/studiozen/js/jwplayer/player.swf?playerready=alert("xss by @dsopas")
#2 http://www.yahoosportsradio.com/source/mediaplayer/player.swf?playerready=alert("xss by @dsopas")
Upgrading JW Player would fix this vulnerability but Yahoo decided to delete because they were old files forgotten on the web sever. Always a priority to delete files that you don't need. They could become a security risk in the future.
Yahoo security team sent me as a gift the DoD T-Shirt and a few other Yahoo merchandise.
I would like to mention that Yahoo fixed both vulnerabilities pretty fast proving that they really care about security.
Timeline #1:
07 Jun 2013: Reported to Yahoo
10 Jun 2013: Fixed by Yahoo
13 Aug 2013: Full disclosure
Timeline #2:
13 Jun 2013: Reported to Yahoo
13 Jun 2013: Fixed by Yahoo
13 Aug 2013: Full disclosure
Update: The JW Player security issue is also present on SecurityFocus since 29 July 2012. Thanks to Avram Marius for this information.
No comments:
Post a Comment