Using fake CAPTCHAs is not a new attack method. It has been documented as a technique to bypass cross-domain restrictions before, and there are known cases of this method being used successfully by attackers to steal security tokens. Symantec reported last year that spammers were using a very similar technique to steal anti-CSRF (cross-site request forgery) codes from Facebook users, which allowed them to post spam links on their behalf.
In his PoC attack, Bogdan used a YQL command to change the user's Yahoo profile status in Yahoo's database, but the same method can be used to run a YQL query that returns a number of emails from the user's Yahoo email account, or other private information.
In order to actually read the emails, the attacker would need to use another technique that would force the data to be returned to his server. Bogdan said he knows how to do that but didn't want to disclose the method during his presentation for ethical reasons.
However, he agreed to demonstrate it privately in the presence of one of the conference's organizers, using a test email account.
In addition, he said the whole attack can be completely automated by leveraging a yet-undisclosed vulnerability located somewhere else in the developer.yahoo.com website.
This means the attacker no longer needs to use the CAPTCHA trick, he said. The user just needs to visit a specially crafted page.
Because the attack exploits multiple security issues and uses several different techniques, Bogdan called it a "blended threat."
He said he plans to share his findings with Yahoo as soon as he has some time to put everything in a proper report.
In the meantime, Yahoo can block such attacks by preventing unauthorized third-party websites from loading pages from its developer.yahoo.com domain inside an iframe, the researcher said.
Yahoo did not respond to a request for comment regarding Bogdan's proof-of-concept attack presented at DefCamp and the solution he suggested.
Bogdan hasn't been doing Web vulnerability research for a long time. However, he recently earned a cash reward from Google and a listing in the company's Application Security Hall of Fame for finding and reporting a vulnerability in one of the company's websites.
Google, Mozilla, Facebook, and PayPal run bug bounty programs through which they pay researchers who responsibly disclose vulnerabilities found in their websites. Other companies, such as Microsoft, don't hand out monetary rewards but recognize the help received from researchers by publishing their names on special thank-you pages on their websites.