In services of Yandex a number of serious vulnerabilities is detected

Experts of Positive Technologies company detected a number of the serious vulnerabilities allowing to get access to separate parts of an intra-company network in services of Yandex.

Search took place at the end of 2012 within the second stage of the Yandex Bug Bounty program which on a permanent basis is carried out by the largest Russian search system. The majority of resources of Yandex and also mobile applications became objects for search of vulnerabilities: Yandex.Maps, Yandex. Navigator, Yandex. Music, Yandex.Mail and Yandex.Market.

As specialists of group of the analysis of security of the Positive Technologies web applications found out, problems with security are on Yandex. Passport, Yandex.Mail, Yandex.Maps, wiki.yandex.ru, school.yandex.ru servers and other resources of the Internet portal. In total specialists of Positive Technologies several tens of vulnerabilities of different level of danger, including Memory Disclosure, XSS, Open Redirect, Response Splitting and CSRF were revealed.

Security error on Yandex service became the most serious, according to specialists of Positive Technologies. The webmaster who was vulnerable for implementation of external entities of XML (XML External Entity) through XSD schemes. Operation of this vulnerability could open access to the next hosts in internal network of Yandex and constitute potential danger for user data.

Thanks to professional work of specialists of Yandex company security defects of popular services were quickly eliminated.

The Positive Technologies company not for the first time cooperates with the leading Russian and foreign companies owning search services. In 2010 names of several experts of Positive Technologies were entered to virtual Hall of Fame of Google as gratitude for the help in increase in security. In November, 2012 Artem Chaykin detected two critical vulnerabilities of the Chrome browser for the Google Android platform which could threaten security of the majority of the latest smartphones and tablets. In the spring of 2012 the expert of Positive Technologies Dmitry Serebryannikov detected critical vulnerability on the website of Google for what it was awarded with a prize within Vulnerability Reward Program.

The open bug bounty programs (engl. "catching of bugs") aimed at finding vulnerabilities and support of researchers in the field of cybersecurity — widespread world practice of the large IT companies. Tenders on search of vulnerabilities and errors carry out by Facebook, Google, Microsoft, Mozilla, Nokia, PayPal, The avast!, etc.

Denis Baranov, the head of group of the analysis of security of the Positive Technologies web applications, noted: "The Positive Technologies company welcomes participation of the specialists in similar tenders where anyone can test the forces in search of vulnerabilities. Similar programs effectively increase security of services and products which millions of people daily use. The Internet is an invaluable source of information and a powerful tool of communication, and we are glad that the Yandex company for security of the Russian segment uses the most progressive methods, including crowdsourcing in bounty-initiatives".