A stored cross-site scripting (XSS) vulnerability in Yahoo Mail that affects more than 300 million email accounts globally was patched earlier this month, bagging a $10,000 bug bounty for the researcher who discovered it.
“Yahoo Mail displays HTML-formatted email messages after filtering any potentially malicious code,” explained Jouko Pynnönen of Klikki Oy, Finland, in an analysis. “The problem lies in this process. Certain malformed HTML code could pass the filter.”
The potential ramifications of the flaw are noteworthy: The bug affects all versions of Yahoo's webmail, the second-largest email service worldwide. The mobile app was not affected.
“We provided Yahoo with a proof of concept email that would forward the victim user's inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits in the wild,” explained Pynnönen.
After a much-publicized “T-Shirtgate” over its bug bounty policies, Yahoo started running its program through the well-known platform, HackerOne.
HackerOne gave an update on researcher participation recently, saying that over the course of 2015, nearly 600 hackers participated in the HackerOne bounty program, submitting approximately 1,500 reports. From this, it resolved 58 valid security vulnerabilities, and awarded bounties for 38 of them. This translated to rewarding 41 unique hackers a total $41,100, with an average payout of $1,082.
Photo © Shtefanuka