Flash based XSS in Yahoo Mail

Summary:
I discovered a XSS vulnerability in IO Utility [1] of YUI library. In this post I explained the vulnerability and it's affect on Yahoo Mail.  

Details:
The ExternalInterface class in ActionScript is an application programming interface that enables communication between ActionScript and the SWF container. This class has a method named "call()" which invokes a JavaScript function if the container is a HTML page. It takes two parameters, the first one is the name of the JavaScript function to call and the other one is a string to pass to that JavaScript function. It is possible to execute malicious JavaScript in context of container if one of these parameters are attacker-controlled [2].

In IO Utility of YUI, io.swf (located at yui\build\io-xdr\io.swf) was vulnerable to XSS. As you can see in figure 1, yid and uid are derived from user input and then used as a parameter in ExternalInterface.call() without any validation. 

Figure 1 - Vulnerable code

By this vulnerability attacker could execute malicious JavaScript in context of io.swf container.

PoC:

http://localhost/io.swf?yid=\"%29%29;}catch%28e%29{alert%28document.domain%29;}//

Yahoo Mail was affected by this vulnerability because, io.swf was hosted at Yahoo mail main domain (fail!) and accessible from http://us-mg5.mail.yahoo.com/neo/ued/assets/flash/io.swf for logged in users.

Figure 2 - io.swf hosted in Yahoo Mail domain

How to exploit this issue:
Yahoo uses HTTPOnly flag for cookies so it's not possible to hijack cookies but as io.swf is hosted in context of us-mg[x].yahoo.com I was able to execute JavaScript in context of us-mg[x].yahoo.com. For example by sending below URL to a Yahoo Mail user it was possible to read his inbox.

http://us-mg5.mail.yahoo.com/neo/ued/assets/flash/io.swf?yid=\%22%29%29;}catch%28e%29{x=window.open('http://us-mg5.mail.yahoo.com/');setTimeout('alert(x.document.body.innerText)',4000)}//

In a future post I'll explain the exploitation of this type of vulnerabilities. 
PoC Video:

Fix:
June 6th, YUI 3.10.1 released which fixed this issue. Fix is based on a regular expression which validates the yid and uid value.

Figure 3 - Vulnerability fixed

Yahoo Security team response:
I was aware of this vulnerability for a long time but I didn't interested to report it to Yahoo Security because my past experiences shows that nothing more than a T-shirt could be achieved (they don't send it to Iran :P), even no credit for responsible disclosure when you report a vulnerability to Yahoo! 

However recently I sent an email and asked if they pay reward for responsible disclosure and they replied:

Figure 4 - Yahoo Security team response

References:
[1]http://yuilibrary.com/yui/docs/io/
[2]http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/external/ExternalInterface.html