Yahoo developer feature (YQL Console) might be exploited to steal user emails and other data

YQL is similar to SQL (Structured Query Language) and was created by Yahoo. YQL can be used to query, filter and combine data stored in databases.The Yahoo developer website provides access to Web-based console for aiding to execute YQL queries against Yahoo’s own databases.

According to an independent Romanian security researcher, Attackers could read private emails, contacts and other data from Yahoo users using this web-console. Bogdan presented a limited version of this attack at the DefCamp security conference in Bucharest, Romania.

During his presentation,  a proof-of-concept (PoC) attack page was created and loaded in an iframe,when an authenticated user visited the attack page,  a  test account was used and the iframe returned the visitor’s crumb code which would contain user-session-specific authorisation code.

In this PoC, Bogdan used a YQL command to change the user’s Yahoo profile status in Yahoo’s database. But the same method could be used to exploit  the number of emails from the user’s Yahoo email account, or other private information, Bogan said.

Yahoo can block such attacks by preventing unauthorized third-party websites from loading pages from its developer.yahoo.com domain inside an iframe, the researcher said.

As of now – Yahoo did not respond to a request for comment regarding Bogdan’s proof-of-concept attack presented at DefCamp and the solution he suggested. However, he is yet to put things in proper place to get a report and file it to Yahoo!