XSS bug in Yahoo Mail could have let attackers take over email accounts


One minute, your Yahoo account is nice and calm. And it utterly lacks a signature.

Then out of the blue, you get a mysterious message in your inbox, and all hell breaks loose.

You open it, and you find that somebody – or something – has enabled the email signature, entered some wacky text about something “wonderful” happening and your Yahoo “being alive,” and stuck some warbling multimedia in there, to boot.

Luckily, in this case, it was a security researcher sending a boobytrapped email to his own Yahoo account.

The Finnish researcher, Jouko Pynnönen, of the security firm Klikki Oy, last month discovered a Cross-Site Scripting (XSS) vulnerability in Yahoo’s webmail that would have allowed attackers to fully compromise email accounts just by sending a malicious email.

To have their account taken over, a victim would have only needed to open and view the email.

Pynnönen also sent himself another rigged email with a hidden script that covertly sent the receiver’s inbox to an external website.

Because the malicious code is in the message’s body, the code is executed every time a user opens an email.

Pynnönen reported the issue to Yahoo on 26 December via the company’s HackerOne bug bounty program and says he was awarded a $10,000 bounty.

According to the researcher, Yahoo said that the XSS flaw was never used in the wild. Its developers fixed the vulnerability on 6 January.

Pynnönen says that he found the bug by force-feeding all known HTML tags and attributes to the filter that Yahoo uses to weed out malicious HTML.

He found that the filter didn’t actually strain out all the gunk, so that certain malformed HTML code managed to slip through.

The bug was only found on Yahoo Mail’s web interface, not in the mobile app.

XSS bugs are one of the most common web vulnerabilities.

Just yesterday, we wrote about a UK supermarket chain that recently patched its online store against various web security holes, including XSS. And last week, we wrote about a researcher who revealed that eBay had just patched an XSS bug that left users vulnerable to almost undetectable phishing attacks.

If you’d like to learn more about XSS (and a related class of bugs known as Cross Site Request Forgery, or CSRF), check out our explanation of how they work.

Image of computer bug courtesy of Shutterstock.com