Yahoo has fixed a handful of vulnerabilities that could have given an attacker free reign over all of its user-run eCommerce websites and caused multiple headaches for small business owners.
One bug could have allowed a hacker to change item prices on a whim and given them access to sensitive information provided to web stores powered by Yahoo. A separate bug could have given attackers complete control of any site hosted by the company.
Mark Litchfield, a bug bounty hunter who occasionally contracts to companies, dug up the bugs while testing all of the company’s applications. While Yahoo patched the bugs two weeks ago, Litchfield recently dumped proof of concepts for the exploits on Bug Bounty HQ, a repository he set up last month for fellow hunters to share their findings.
The first bug he found could have given an attacker full access to Yahoo’s eCommerce platform, Yahoo Small Business, a portal that allows small business owners to create web stores through Yahoo. The service offers businesses hosting, domain registration and gives users looking to sell merchandise several shipping and payment options.
Litchfield claims the bug could allow him to fully administer any Yahoo store and gain access to customers’ personally identifiable information, including names, email addresses, telephone numbers and so on.
By exploiting the vulnerability, an attacker could also rig a web store to let them shop for free, or at a deep discount.
“We could also shop for free by either changing the prices, or creating our own discount code,” Litchfield said via email while walking through the attack, “Also, we could place an order, then once received, go and refund our money.”
Each request sent to Yahoo’s servers from its eCommerce sites involves a decoded base64 string located in a parameter called ysbparams, according to Litchfield. Before the issue was fixed, to compromise a store, a hacker would merely need to know a business’ “bizid.” In his proof of concept Litchfield ascertains the “bizid” of a victim’s site, a site selling used cars, simply by searching for it in the site’s HTML source. From there, by creating a rule in the pentesting application Burp Suite, Litchfield found he could replace ysbparams with a targeted version including that “bizid” and gain access to the store’s backend. Once in, an attacker could manage products the site has for sale–in this case cars and lots of them–tweak prices, and carry out a handful of other attacks that Litchfield omits in his PoC on purpose for privacy reasons.
“I am thinking a $10 Bentley would be a good deal,” Litchfield jokes in his PoC while inside the car sellers’ backend. While it’s unlikely that tricking a seller into giving that deep of a discount of one of their products would ever work, as Litchfield points out, the real point here is that the bug allows an attacker to change prices.
Yahoo Fixes Critical eCommerce, Small Business Vulnerabilities
For the second part of the exploit, Litchfield uses Burp and edits requests to take advantage of a bug that allows the unauthorized editing of Yahoo-hosted stores through the app. In the proof of concept for this vulnerability, Litchfield just adds an ellipsis to text on a website selling electronic cigarettes but claims the hack could allow for far more than that.
“We essentially at this point are the webmaster for this store and capable of adding, editing, or deleting any and all content as we choose,” he acknowledges.
Lastly, a separate vulnerability that Litchfield found that allows the full, unauthorized access of Yahoo-hosted sites stems from a bug in Yahoo’s Small Business portal.
Via a site’s Web Hosting Control Panel an attacker can edit files and create directories on sites hosted on Yahoo. In the PoC for this bug, Litchfield shows how he’s able to assign himself access to another site’s root directory, in this case, a website belonging to the tiny town of Rozel, Kansas, by editing a request within Burp.
Litchfield, who discovered similar bugs in PayPal’s Manager infrastructure that could have led to account takeover last year, found the Yahoo bugs as he was working his way through the company’s applications.
“Given the size of Yahoo, its age online and constant acquisitions it certainly presents a very large attack surface area,” Litchfield said, adding that in his experience the company has been remarkably speedy at addressing the vulnerabilities, especially those that are critical.
Chris Rohlf, the head of Yahoo’s pentesting team, announced late last year that similar to Google’s Project Zero, the company would disclose any vulnerabilities that its team digs up within 90 days of discovery.
Since switching to HackerOne at the beginning of 2014, the company has addressed nearly 2,000 externally reported bugs and Litchfield, who was awarded $24,000 for the aforementioned Small Business issues, is one of its more prolific bug reporters. Citing a speech given by Yahoo’s CISO Alex Stamos a few months ago that claimed the company had paid out $700K in bounties, Litchfield believes that it now must be closing in on $1 million in paid bounties.
“In time, I think bug bounties will become the norm for companies,” Litchfield speculated, “The ROI is 100%.”
Litchfield, who set up Bug Bounty HQ last month as a neutral, central repository for researchers to post public vulnerabilities, insists the site is still young but claims he’s seen posts on the site steadily increase daily.
“BBHQ is a community for bounty hunters to talk with each other and hopefully learn new skills from other members,” Litchfield said via email Monday, “I find reading other peoples’ vulnerabilities very interesting as they are real ‘business’ issues and a lot can be learned from them.