According to Behrouz Sadeghipour, the researcher who identified the flaw, some popular Yahoo services were affected, including Travel, Food, Security, Developer, News, Weather, Shopping, Celebrity, TV, Music and Finance.
The vulnerability impacted the comments section of these pages. An attacker simply needed to post a comment containing malicious code.
The bug found by Sadeghipour could lead to two types of attacks. The first was a persistent (stored) XSS attack in which all visitors of an affected page were impacted by the code injected by the attacker through a comment.
The expert has told Softpedia that the more popular subdomains have thousands of posts with thousands of comments on them so a large number of users could have been impacted.
The second issue caused by this bug was a self-XSS where only the commenter (hacker) was affected. In this scenario, other users are impacted only if the comment is listed as a popular comment or a recent comment.
“Many of Yahoo’s services have a comment section. Some use the same exact comment platform as the one on Tech and Travel and some have a different comment platform, like the one on Sports, Weather, and Finance, but they both store the comments in a tab under ‘My Comments’ -> ‘All Comments’ and you will see the stored self XSS there,” the expert explained in a blog post.
“The ‘Self XSS’ could also be engineered to be seen in the ‘Most recent’ or ‘Most discussed’ topics to execute and run the specific XSS string.”
An attacker could have posted a piece of code designed to hijack users’ sessions or cookies. He could have also targeted a specific user by luring him/her to a page containing malicious code.
“Thousands (if not millions) of users use Yahoo and Yahoo Mail in 65 countries supported by Yahoo. Each Yahoo International/country domain (such as Hong Kong, Taiwan, Netherlands, India) uses one of the 2 comment platforms in their daily blog which get thousands of Yahoo and non-Yahoo member visitors daily and could have been a target to this vulnerability,” Sadeghipour noted.
The vulnerability was reported to Yahoo on April 29, 2014. One day later, Yahoo disabled the comments section on Yahoo Services. The flaw was fixed on May 2.