Tuesday, August 13, 2013

Vulnerable JW Player on two Yahoo sites

Changeled by some web security analysts that told by that Yahoo is very hard to still find web vulnerabilities on their sites I found two flaws.
Both security issues are located under a vulnerable flash player - JW Player (discovered by Neal Poole on April) that can be used to inject a XSS vector.
This type of attack could be used to trick innocent users, infecting them with malware and even get their accounts hijacked using the name of Yahoo.

Proof-of-concept:
#1 http://especiales.yahoo.net/turismo-de-tunez/wp-content/themes/studiozen/js/jwplayer/player.swf?playerready=alert("xss by @dsopas")

#2 http://www.yahoosportsradio.com/source/mediaplayer/player.swf?playerready=alert("xss by @dsopas")


Upgrading JW Player would fix this vulnerability but Yahoo decided to delete because they were old files forgotten on the web sever. Always a priority to delete files that you don't need. They could become a security risk in the future.

Yahoo security team sent me as a gift the DoD T-Shirt and a few other Yahoo merchandise.




I would like to mention that Yahoo fixed both vulnerabilities pretty fast proving that they really care about security.

Timeline #1:
07 Jun 2013: Reported to Yahoo
10 Jun 2013: Fixed by Yahoo
13 Aug 2013: Full disclosure

Timeline #2:
13 Jun 2013: Reported to Yahoo
13 Jun 2013: Fixed by Yahoo
13 Aug 2013: Full disclosure

Update:  The JW Player security issue is also present on SecurityFocus since 29 July 2012. Thanks to Avram Marius for this information.

No comments:

Post a Comment