Stored XSS affecting all fantasy sports [*.fantasysports.yahoo.com]

Introduction

This will be my first write up with regards to my security research. The following post will walk through a stored Cross Site Scripting (XSS) bug that I found that was affecting all of Yahoo!'s different Fantasy Sport Leagues.

Background

Yahoo! hosts their own Fantasy Sports platform for a variety of sports, a list of which can be found here. Each sport is hosted on it's own sub domain which includes a variety of features, some common to all sport sub domains, like message boards, and others being sport specific. The message board functionality acts like a typical online forum allowing users who have joined the league to create posts, share images, etc. It was in this Message Board functionality that I found a stored XSS vulnerability that could be exploited against any user that viewed the malicious message.

Details

After joining any league/group for any Yahoo! Fantasy Sports League, proceed to the Message Board of the league which will look like this:

After clicking on the 'Post New Topic' button you will be given this screen:

Then Switch to the Rich Text Editor:

Once here, I added a random plain text title (since adding any HTML would cause a validation error) with the following payload in the body:
<img src="x:? title=" onerror=alert(document.domain)//"> This would then render as: <img src="x:? title=" title="" onerror="alert(document.domain)//">, notice how the src and title attributes have been parsed? By not including a closing double quote after x:, the double quote from my title attribute closed the src tag and Yahoo! added an empty title (title=""). The XSS would fire any time anyone viewed the post, including myself after submitting it, across all browsers.

Impact

This vulnerability could have been exploited to execute malicious Javascript against any user who viewed the message, including league administrators. Additionally, since Yahoo! uses shared cookies for their services, which are also accessible to Javascript, a malicious user could have stolen cookies and logged into the account of any victim across any Yahoo! service.

Report Timeline:
  • 11/23/2016 - Vulnerability Found and Reported via Yahoo's BBP on HackerOne
  • 11/25/2016 - Vulnerability accepted and triaged by Yahoo team
  • 12/03/2016 - Vulnerability Patched by Yahoo Security
  • 12/05/2016 - Report marked 'Resolved' on HackerOne
  • 12/07/2016 - Yahoo awarded $800 bounty.

Twitter: http://twitter.com/thedawgyg

Thanks to @yaworsk for help with editing of this post.