Skip to main content

Posts

Showing posts from December, 2014

Curious case of Yammer XSS

Microsoft recently (finally!!) started with their bug bounty program for some of the online services. Yammer is part of its scope. Noticing this I jumped on to find bugs in Yammer because it looked to be the easier of the targets. This post is about a strange stored XSS I found in Yammer apps which would have allowed non-admin users to steal cookies from admin users and also do other nasty stuff.

To begin with, Yammer is a private social network that helps employees collaborate across departments, locations and business apps. 

Once logged in to Yammer, any user can create and publish apps to the organization's Apps directory. This process does not require authorizations or approvals. Apps are published to the app directory some time after it is created.

Apps can be created from https://www.yammer.com/client_applications.
When registering the app, Yammer takes in Redirect URI value which is "the URL to redirect the user's browser to after the user has linked the application to…