A company worth billions of dollars which is supposed to have the best programmers, the kind of company that won’t leave any security wholes in the system. Yahoo! system that is!

XSS bugs are already yesterday’s news when we talk about Yahoo! They are all over the place on the *.yahoo.com subdomains.But we are not talking here about minor XSS bugs. We mean serious business. We are talking about the kind of security which exposes the privacy of millions of users of the “trustable” Yahoo! services.

We are talking about SQL Injection. One of the worst kinds of security breach.

Here you have one of the pages vulnerable to SQL Injection:

http://in.jagran.yahoo.com/article/index.php?choice=homepage_getnews&state=1&city=87%20union%20all%20select%201,concat_ws(0x203a20,version(),user()),3,4,
5,6,7,8,9,10,11,12,13,14,15,16,17,18

What do we find here? Information about the SQL server, its version and the current user SQL user:



A list with SQL users and passwords:


And of course, much more information available at the hand of an attacker.

Moreover, this SQL Injection can be used as an XSS, especially for session hijacking:



The sad part is that Yahoo! didn’t adopt any policy whatsoever regarding this kind of problems. They dont admit they have a problem, nor do they give any credits to those who find them.

Following in the footsteps of other sites, Yahoo! could learn to gain from this. Vast majority of those who find bugs don’t disclose them anymore precisely for the fact that Yahoo! is in total denial. By coming out clean, Yahoo! would also reduce the amount of hacked/stolen accounts and other shameful security breaches like the one we present here.