In this case, the attacker needs to trick the user into giving him the secret code displayed on the page. Since the crumb is actually a string of random numbers and letters -- for example "y5XAjn1fKIQ" -- Bogdan built a fake CAPTCHA test on the attack page and made it appear as if the crumb displayed in the iframe was actually the CAPTCHA challenge string that the user had to input in order to solve the test. By solving the fake CAPTCHA, the user was actually authorizing a YQL query to be made in his name.
Using fake CAPTCHAs is not a new attack method. It has been documented as a technique to bypass cross-domain restrictions before, and there are known cases of this method being used successfully by attackers to steal security tokens. Symantec reported last year that spammers were using a very similar technique to steal anti-CSRF (cross-site request forgery) codes from Facebook users, which allowed them to post spam links on their behalf.
In his PoC attack, Bogdan used a YQL command to change the user's Yahoo profile status in Yahoo's database, but the same method can be used to run a YQL query that returns a number of emails from the user's Yahoo email account, or other private information.
In order to actually read the emails, the attacker would need to use another technique that would force the data to be returned to his server. Bogdan said he knows how to do that but didn't want to disclose the method during his presentation for ethical reasons.
However, he agreed to demonstrate it privately in the presence of one of the conference's organizers, using a test email account.
In addition, he said the whole attack can be completely automated by leveraging a yet-undisclosed vulnerability located somewhere else in the developer.yahoo.com website.
This means the attacker no longer needs to use the CAPTCHA trick, he said. The user just needs to visit a specially crafted page.
Because the attack exploits multiple security issues and uses several different techniques, Bogdan called it a "blended threat."
He said he plans to share his findings with Yahoo as soon as he has some time to put everything in a proper report.
In the meantime, Yahoo can block such attacks by preventing unauthorized third-party websites from loading pages from its developer.yahoo.com domain inside an iframe, the researcher said.