A security researcher has discovered a way to combine a cross-site scripting (XSS) vulnerability with a cookie parsing flaw in Yelp’s infrastructure, which could allow attackers to steal user data and take control of accounts.
The XSS flaw lies in the way Yelp handles the “guvo” cookie, which is reflected unescaped in the HTML of key pages, allowing malicious JavaScript payloads to be injected.
The cookie parsing error then enables the “guvo” cookie to be smuggled inside another cookie, “yelpmainpaastacanary”, via a URL query parameter.
Together, these defects create a persistent XSS attack vector that could allow malicious code to remain in a victim’s browser indefinitely.
While Yelp has already patched the vulnerability, it serves as a clear demonstration of how minor oversights can become severe security flaws.