Yammer.com is part of Microsoft Bug Bounty for Online Services. During some research in used Flash files I found this one: video-js.swf (source).
Take a look to this piece of code:
So - only chars we are able to use is alphanumeric, underscore and a dot - to prevent Cross-Site Scripting. For example - if we’ll provide readyFunction=alert - our flash file will execute alert function, but we have no control over arguments (because we can't use brackets), so it’s useless for XSS purposes.
...and here is the place where we can start talking about Same-Origin Method Execution :-) Let take evil.com, that have hyperlink to vulnerable videoplayer. After clicking to this link, it opens the flash file in new tab, and next - redirect evil.com to yammer.com (in the same tab). From now on - newly opened tab have access to previous tab by window.opener (because they are both in Same Origin - yammer.com), and it’s also able to access DOM and execute functions in context of opened yammer.com page.
The goal is to authorize user to some malicious application without his knowledge. Attack scenario will look this way:
1. User is visiting evil PoC site
2. He/she clicks on link which -in the end - redirect user to video player with readyFunction param described later
3. We’re redirecting Poc site to our yammer.com application - all we need to know is client_id - link example here:
4. We need to wait few seconds to be 100% sure that redirect from point 3 happend (that's why I used proxy.php that sleeps and then returns 30x).
5. Flash Video Player will execute this readyFunction:
window.opener.new_message_popup.nextElementSibling.lastElementChild.firstChild.nextElementSibling.click()
...which is simply the “Allow” button + click() function :->
As you can imagine - this will cause clicking on the button and authorizing application to victim’s account, which is dangerous. :)
Proof of Concept goes here: http://ropchain.org/poc/yammer-some.html
...and demo:
