XSS bug in Yahoo Mail could have let attackers take over email accounts

January 21st, 2016 by Mark Daly in Industry News No Comments »
XSS bug in Yahoo Mail could have let attackers take over email accounts ilicomm Technology Solutions

One minute, your Yahoo account is nice and calm. And it utterly lacks a signature.

Then out of the blue, you get a mysterious message in your inbox, and all hell breaks loose.

You open it, and you find that somebody – or something – has enabled the email signature, entered some wacky text about something “wonderful” happening and your Yahoo “being alive,” and stuck some warbling multimedia in there, to boot.

Luckily, in this case, it was a security researcher sending a boobytrapped email to his own Yahoo account.

The Finnish researcher, Jouko Pynnönen, of the security firm Klikki Oy, last month discovered a Cross-Site Scripting (XSS) vulnerability in Yahoo’s webmail that would have allowed attackers to fully compromise email accounts just by sending a malicious email.

To have their account taken over, a victim would have only needed to open and view the email.

Pynnönen also sent himself another rigged email with a hidden script that covertly sent the receiver’s inbox to an external website.

Because the malicious code is in the message’s body, the code is executed every time a user opens an email.

Pynnönen reported the issue to Yahoo on 26 December via the company’s HackerOne bug bounty program and says he was awarded a $10,000 bounty.

According to the researcher, Yahoo said that the XSS flaw was never used in the wild. Its developers fixed the vulnerability on 6 January.

Pynnönen says that he found the bug by force-feeding all known HTML tags and attributes to the filter that Yahoo uses to weed out malicious HTML.

He found that the filter didn’t actually strain out all the gunk, so that certain malformed HTML code managed to slip through.

The bug was only found on Yahoo Mail’s web interface, not in the mobile app.

XSS bugs are one of the most common web vulnerabilities.

Just yesterday, we wrote about a UK supermarket chain that recently patched its online store against various web security holes, including XSS. And last week, we wrote about a researcher who revealed that eBay had just patched an XSS bug that left users vulnerable to almost undetectable phishing attacks.

Leave a Reply

You must be logged in to post a comment.

NEED MORE INFORMATION?Contact us to see how we can help your business

Call our Sales Team on:

+44 (0)121 289 3434

or email us at: