For those who do not know what it is, here is a quick overview of what a CSRF vulnerability is:
HTTP is a stateless protocol, and because of this web servers cannot identify if a number of requests are coming from the same visitor or not. Though with the help of Cookies it is possible to track users’ behaviour, because a cookie (or session ID) is is unique to the website visitor. The cookie or session ID is created when the visitor’s browser sends the first request to the web server. During the continuation of the session, the visitor’s browser sends the cookie with every subsequent request to the server and if the cookie is not sent, the server will not recognize the visitor.
To successfully craft and exploit a Cross-Site Request Forgery (CSRF) attack, the attacker tricks the victim into accessing a malicious website that transparently forces the victim’s web browser to perform actions on a trusted website to which the victim is currently authenticated without the victim’s knowledge. For example,
This means that the attacker can do anything that the victim can do on that website when logged. Therefore if the victim is an administrator on the trusted website, the attacker can for example add a new user or delete data on the trusted website.
As a means of protection against the exploitation of CSRF attacks such as the one described above developers can programmatically create a unique and unpredictable keys in forms, which are referred to as Anti-CSRF Tokens. However, they often neglect to implement this protection in login forms because they don't consider "CSRF in Login Forms" as a security issue.
Yandex is a Russian Search Engine company which according to recent reports it is the 4th most popular search engine, even more popular than Bing. Yandex has a number of products and services, one of which is the Yandex browser. In the remainder of this article we will explain the technical details of a CSRF vulnerability in the Yandex browser, which was identified by Netsparker researchers.
The CSRF vulnerability was found in the login screen of the Yandex Browser that is used by users to login to their Yandex account to synchronize their browser data (such as passwords, bookmarks, form values, history) between different devices they own, such as smartphones, tablets and PCs. The Google Chrome browser has the same feature.
By forcing the victim to log in with his own credentials, the attacker can access all of the victim's information that is saved in the browser such as browser history, passwords, opened tabs and bookmarks.
Below is a step-by-step explanation of the proof of concept of the CSRF vulnerability in the Yandex browser:
form method="POST" action="https://browser.yandex.com.tr/sync/" role="form">
<input name="login" value="vvvait">
<input name="passwd" value="n3t5p4rk3r">
By combining the Yandex browser synchronization feature and the exploitation of the CSRF attack in the login screen the attacker managed to steal the victim's passwords, browser history, bookmarks and auto complete info. In addition to that, the attacker effectively backdoored the victim’s browser to keep his account synced with future updates from the user. Therefore the victim’s browser will continue syncing data without the victim being aware of this browser feature and of what is happening.
By mid May we noticed that the vulnerability was addressed, though we were never updated by the Yandex team about the fix.