04.16
Summary
I reported 3 vulnerabilities to the Yandex bug bounty program shortly after it launched in September. It has taken almost 6 months to resolve the issues completely, thanks to some mis-communication and a lack of followup on my part. Overall my experience was not too negative, but I would not recommend the program to other researchers.
Vulnerability #1: Reflected XSS in pass.yandex.ru
This was a fairly straightforward reflected XSS vulnerability. Browsing to https://pass.yandex.ru/login?retpath=http://yandex.ru/%3C/script%3E%3Cscript%3Ealert%281%29%3C/script%3E in Firefox would lead to a JavaScript alert box being displayed in the browser.
According to the Yandex security team my report was a duplicate: this makes sense given the simplicity of the vulnerability. This vulnerability has been patched.
Vulnerability #2: CSRF in passport.yandex.com
Again, a fairly straightforward vulnerability. The form for updating personal information (first/last name, city, etc) was not protected against a CSRF attack.
When I initially reported this vulnerability to Yandex I never received a reply. I failed to follow up until 3 months later; at that point, I was told that only my reflected XSS report was showing up in their system. I used their feedback form to submit all three reports separately; in retrospect I should have sent it via email.
Regardless, when I followed up I noted that the CSRF issue had been fixed but that the solution was vulnerable to clickjacking. That report was declared a duplicate (again, makes sense given the simplicity of the vulnerability and the amount of time that had passed) and I was told of plans to add an X-Frame-Options header to protect against clickjacking. So far the header has not been added and the vulnerability still exists.
Vulnerability #3: Email header splitting via mail.yandex.com
This vulnerability was the most complicated of the three that I
submitted. When sending an email on mail.yandex.com
, a POST request is
made to https://mail.yandex.com/neo2/handlers/do-send-json.jsx
. The
from_name parameter sent as part of that request did not escape newline
characters, which allowed an attacker to forge the From: header in an
email and include arbitrary additional headers in the email.
I again failed to follow up until 3 months after my initial report. At that point I was told:
We cannot verify the security issue you have reported because it is unexploitable.
Every person can do it (add various headers) with tool like Telnet by connecting SMTP server.
If you can describe how it can be exploitable by malicious man don’t hesitate to contact us.
I pointed out that most other web-based email clients (eg: Gmail, etc) do not allow you to specify an arbitrary From: header. Subsequently I received a followup email telling me that I was eligible for a reward of $160.
Disclosure Timeline
- September 23rd, 2012: Reports sent to Yandex via submission form.
- September 25th, 2012: Reply from Yandex indicating that the reflected XSS report was a duplicate.
- January 16th, 2013, 12:26 AM: Retested previously reported vulnerabilities. Sent followup email to Yandex security team, asking for updates on previous reports / providing feedback based on retest).
- January 16th, 2013, 6:00 AM: Received reply from Yandex indicating that only one of my initial three reports was received. Responded to the other two “new” reports (details outlined previously above).
- January 16th, 2013, 10:03 AM: Replied with feedback regarding email header splitting vulnerability.
- January 16th, 2013, 11:04 AM: Reply from Yandex acknowledging that email header splitting vulnerability was eligible for a reward.
- February 16th, 2013: Sent followup to Yandex, asking for update on reward and on patches for vulnerabilities.
- March 1st, 2013: Sent email to Yandex informing them of plans to publish this post on April 16th, 90 days after the followup on January 16th.
- March 8th, 2013: Reply from Yandex acknowledging the reward and asking me to inform them again once the post is published.
- March 12th, 2013: Reply from Yandex, bounty money has been transferred to my account.
- April 16th, 2013: Published this blog post.