Yahoo! Saves! Trolls! From! Session! Jacking! Holes!

Yahoo! has patched a cross site scripting (XSS) flaw in the commenting system it uses across many of its properties.

The internet giant squished two attack vectors affecting a laundry list of Yahoo! services covering topics as diverse as shopping and sport two weeks after they were reported on May 2nd.

Californian web dev and security researcher Behrouz Sadeghipour found attackers could steal Yahoo! users session cookies and tokens by injecting code into the comment system.

In a disclosure he said the attack could have been used with a bot to compromise users en masse.

"The websites ... will store the string and present it to anyone visiting the post containing the comment," Sadeghipour said.

"So with a sample bot we could post a comment containing malicious code to hijack the visitors' session cookie.

"We could also simply target a specific user by linking them to a post containing a comment with a malicious code by the attacker."

All Yahoo! top level domains were affected by the stored XSS attacks placing thousands of daily commenters at risk.

Sadeghipour also found a less dangerous self-XSS which could be placed in the comments section and engineered to target users by appearing under the 'most recent' or 'most discussed' fields.

Cross site scripting flaws littered the internet and could cause varying degrees of damage. At its most severe, users can be served malware or have accounts compromised, as the video below showe.

Proof of Concept video

Web admins should consult OWASP for guidance to remove the vulnerabilities from their sites. ®