Home > Cyber News > CSRF Flaw in Yandex Browser Could Lead to Personal Data Theft

CSRF Flaw in Yandex Browser Could Lead to Personal Data Theft

malware-attack-sensorstechforumMany services we use on a daily basis turn out to be quite buggy. This time our attention was caught by a vulnerability in the Yandex Browser, built on Chromium, which could have allowed attackers to steal users’ browsing history, passwords, bookmarks. More particularly, the vulnerability in question is of the cross-site request forgery type. The flaw was discovered by to Ziyahan Albeniz, a Netsparker researcher.

First of all, what exactly is a cross-site request forgery (CSRF Flaw)?

Cross-site request forgery, also known as one-click attack or session riding, CSRF or XSRF for short, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser. (Via Wikipedia)

How a CSRF attack is carried out

Shortly said, to carry out a successful attack of that type, the malicious actor will have to trick the user into visiting a compromised website that transparently forced the user’s web browser to perform actions on a trust page. This is a page where the user is currently authenticated without his knowledge.
In the case of the Yandex browser, this issue resides in the browser’s login form where the user enters an email address and password for an internal account. This is a feature very similar to Chrome’s data synchronization feature.

The CSRF vulnerability was found in the login screen of the Yandex Browser that is used by users to login to their Yandex account to synchronize their browser data (such as passwords, bookmarks, form values, history) between different devices they own, such as smartphones, tablets and PCs. The Google Chrome browser has the same feature.

How can the CSRF flaw be exploited in the Yandex Browser?

The researcher explains that all an attacker would have to do is force the victim to log in using his own credentials. This is how the malicious actor would obtain personal information saved in the browser, including history, passwords, opened taps and bookmarks.

Find Out Which Is the Most Secure Browser for 2016

Is it difficult to exploit the CSRF flaw? Not at all!

Albeniz’s report indicates that the bug is easy to exploit. All an attacker has to do is lure the user into accessing a malicious website. The latter will contain code that created a Yandex Browser data sync login form and submit the data with the hacker’s credentials. The CSRF vulnerability will then allow this data to start an automatic syncing operation. The end result is a copy of the user’s data being sent to the attacker. This will keep on occurring unless the user finds out about it and takes action. In other words, in case of no counter measure, information like new credentials will continue to be synced without the user’s knowledge.

Yandex was notified about the issue and it was fixed in May 2016. However, the researcher shared that disclosing the bug and communicating with the company was not an easy process. Yandex didn’t inform him that the vulnerability was fixed.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree