Many services we use on a daily basis turn out to be quite buggy. This time our attention was caught by a vulnerability in the Yandex Browser, built on Chromium, which could have allowed attackers to steal users’ browsing history, passwords, bookmarks. More particularly, the vulnerability in question is of the cross-site request forgery type. The flaw was discovered by to Ziyahan Albeniz, a Netsparker researcher.
First of all, what exactly is a cross-site request forgery (CSRF Flaw)?
Cross-site request forgery, also known as one-click attack or session riding, CSRF or XSRF for short, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser. (Via Wikipedia)
How a CSRF attack is carried out
Shortly said, to carry out a successful attack of that type, the malicious actor will have to trick the user into visiting a compromised website that transparently forced the user’s web browser to perform actions on a trust page. This is a page where the user is currently authenticated without his knowledge.
In the case of the Yandex browser, this issue resides in the browser’s login form where the user enters an email address and password for an internal account. This is a feature very similar to Chrome’s data synchronization feature.
The CSRF vulnerability was found in the login screen of the Yandex Browser that is used by users to login to their Yandex account to synchronize their browser data (such as passwords, bookmarks, form values, history) between different devices they own, such as smartphones, tablets and PCs. The Google Chrome browser has the same feature.
How can the CSRF flaw be exploited in the Yandex Browser?
The researcher explains that all an attacker would have to do is force the victim to log in using his own credentials. This is how the malicious actor would obtain personal information saved in the browser, including history, passwords, opened taps and bookmarks.
Is it difficult to exploit the CSRF flaw? Not at all!
Albeniz’s report indicates that the bug is easy to exploit. All an attacker has to do is lure the user into accessing a malicious website. The latter will contain code that created a Yandex Browser data sync login form and submit the data with the hacker’s credentials. The CSRF vulnerability will then allow this data to start an automatic syncing operation. The end result is a copy of the user’s data being sent to the attacker. This will keep on occurring unless the user finds out about it and takes action. In other words, in case of no counter measure, information like new credentials will continue to be synced without the user’s knowledge.
Yandex was notified about the issue and it was fixed in May 2016. However, the researcher shared that disclosing the bug and communicating with the company was not an easy process. Yandex didn’t inform him that the vulnerability was fixed.