11.14.07
Yahoo! Security impressed me.
I got an early Christmas gift this year. My fiance bought me a subscription to Yahoo! Music Unlimited, 2 million songs that I can stream / download on demand (which is awesome, if anyone's been thinking about buying it). Now in order to use Yahoo! Music Unlimited, I had to install Yahoo! Music Jukebox. The program's search feature was obviously web based, so I became a little curious. I started testing various inputs into the search box. Now basics like <script> were filtered out but I wanted to see where I could take this. In my 30 minutes or so of search, I found two issues.
- %00 was accepted into the search box and would cause early termination of the search page when it was loading.
- test%3Cimg%09src%3Djavascript%3Aalert(document.cookie)%3EFaith was a valid XSS. The 'Faith' had to be appended to the end because it would still attempt to search for an artist, and would actually find a match with the data provided prior to 'Faith' using some sort of guessing algorithm. 'Faith' caused the guessing algorithm to not match.
I reported these issues to Yahoo! Security on Nov. 9th and received a same day response. It didn't have the same personalized feel that a report to Microsoft has, but it was speedy. Yesterday (Nov. 13th), I received another email from Yahoo! Security telling me that a fix had been implemented and asking me to test it. I tested it and it was indeed fixed, I was rather impressed.
