Yahoo Mail Patches Severe XSS Flaw Affecting 300M Users

Written by

A stored cross-site scripting (XSS) vulnerability in Yahoo Mail that affects more than 300 million email accounts globally was patched earlier this month, bagging a $10,000 bug bounty for the researcher who discovered it.

The flaw allowed malicious JavaScript code to be embedded in a specially formatted email message. The code would be automatically evaluated when the message was viewed. The JavaScript could be used to then compromise the account, change its settings, and forward or send email without the user's consent.

“Yahoo Mail displays HTML-formatted email messages after filtering any potentially malicious code,” explained Jouko Pynnönen of Klikki Oy, Finland, in an analysis. “The problem lies in this process. Certain malformed HTML code could pass the filter.”

The potential ramifications of the flaw are noteworthy: The bug affects all versions of Yahoo's webmail, the second-largest email service worldwide. The mobile app was not affected.

“We provided Yahoo with a proof of concept email that would forward the victim user's inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits in the wild,” explained Pynnönen.

After a much-publicized “T-Shirtgate” over its bug bounty policies, Yahoo started running its program through the well-known platform, HackerOne.  

HackerOne gave an update on researcher participation recently, saying that over the course of 2015, nearly 600 hackers participated in the HackerOne bounty program, submitting approximately 1,500 reports. From this, it resolved 58 valid security vulnerabilities, and awarded bounties for 38 of them. This translated to rewarding 41 unique hackers a total $41,100, with an average payout of $1,082.

Photo © Shtefanuka

What’s hot on Infosecurity Magazine?