yandex Vulnerability in Yandex Browser Allows Attackers to Steal Victims' Browsing Data

[vissha]

Vulnerability in Yandex Browser Allows Attackers to Steal Victims' Browsing Data

 

 

Vulnerability is easy to exploit, hard to spot

 

Quote

A CSRF vulnerability existed in the core of the Yandex Browser that allowed attackers to trick the browser's synchronization feature into sending the user's browsing data to the wrong account.

 

If exploited, the vulnerability would have allowed an attacker to steal the victim's passwords, browser history, bookmarks, and autocomplete info, the usual data that's synced between devices via this feature.

 

Vulnerability affected Yandex Browser's data sync feature

 

The vulnerability per se existed in the Yandex Browser login form, where users enter the email account and password they used to create a profile inside the browser.

 

The functionality is similar to Chrome's data synchronization feature. The Yandex Browser is built on Chromium, the open source browser engine also used by Chrome.

 

Softpedia has reached out to Ziyahan Albeniz, the Netsparker researcher who discovered this flaw, to inquire if it also affects Chrome's sync feature, but common sense dictates it probably doesn't, due to different codebases that handle authentication procedures in Google's browser.

 

Vulnerability is easy to exploit via malicious web pages

 

According to Albeniz's report, the bug is trivial to exploit. An attacker only needs to trick a user into accessing a malicious website.

 

This website will include code that creates a Yandex Browser data sync login form and submits the data with the attacker's credentials.

 

The CSRF bug will allow this information to take hold and start an automatic syncing operation that sends a copy of the user's data to the attacker.

 

"Note that unless the victim finds out what is happening the browser will keep on syncing data to the attacker’s account, therefore things such as new credentials and bookmarks will be synced to the attacker’s account without the victim’s knowledge," Albeniz explains.

 

The researcher informed Yandex of the issue on December 17, 2016. Disclosing the bug and getting it fixed was a little tricky, with minimal communication from Yandex, the company not even bothering to tell the researcher they fixed the issue in May 2016. Below is the full disclosure timeline.

 

Disclosure Timeline

 

Spoiler

 

• 17th December 2015: We reported the vulnerability to Yandex via the Yandex Bug Bounty program.
• 15th January 2016: Since by now we did not hear from Yandex we got directly in touch with one of their engineers via Twitter and were told that an email account was automatically created for us on the Yandex email system. In this account we found an email dated 22nd December 2015 in which a Yandex engineer got back to us telling us that he was unable to reproduce the issue.
• 8th February 2016: We sent a video PoC.
• 15th February 2016: We chased Yandex since we did not hear from them.
• 2nd March 2016: Yandex replied confirming the issue and advised us that they are working on the issue.
• 7th March 2016: We chased them again to see what is the status, since we were not being updated.
• 16th March 2016: We chased them again to see what is the status, since we were not being updated.
• 29th March 2016: We chased them again to see what is the status, since we were not being updated.
• 12th April 2016: Yandex replied telling us that they are still working on the issue.

 

 

Source