Yahoo has fixed a critical cross-site scripting (XSS) vulnerability that could have been exploited by hackers to access any Yahoo Mail user’s private emails.
If left unpatched, the vulnerability could have potentially put an estimated 300 million Yahoo Mail accounts at risk.
The security flaw was found by Finnish vulnerability researcher Jouko Pynnönen, who works for the security company Klikki Oy. Pynnönen has a history of uncovering XSS vulnerabilities in web-facing software, having responsibly disclosed security holes in the likes of WordPress and Uber in the past.
What should send a chill down the spine is that an attack exploiting the vulnerability would not require any user interaction. All a victim would have to do to have their account compromised is simply view an email, with no requirement to click on a link or open an attachment.
The malicious code embedded in the email could be used by an attacker to compromise an account, change its settings, forward messages to an external account, or even spread a Yahoo Mail-infecting virus.
For his efforts Pynnönen was rewarded with a $10,000 prize under Yahoo’s bug bounty program.
This isn’t the first time that Pynnönen has earned himself a handsome reward for reporting critical security vulnerabilities in Yahoo’s mail system. A year ago, Pynnönen told Yahoo about a different but similar stored XSS vulnerability that allowed attackers to embed malicious script inside boobytrapped email messages.
Just viewing the message was enough to trigger the malicious code – meaning that the recipient did not have to be tricked into clicking on any links or opening any attachments. The malicious script could be used to compromise the account – changing settings, or forwarding/sending emails without the user’s consent.
Pynnönen provided Yahoo’s security team with a proof-of-concept email that would forward a victim’s inbox to a third-party website, and a virus that would infect the account and attach itself to every subsequent email sent from the Yahoo Mail account.
It’s easy to imagine how such an attack could spread very quickly, and would be attractive for online criminals to exploit.
Fortunately, there were no known exploits in the wild, and the vulnerability was patched in January 2016.
It’s a shame that the work which Yahoo did then to fix that flaw didn’t also protect against the latest vulnerability. A stronger filter at Yahoo’s gateway, hunting for malicious HTML, could have stopped these types of attacks dead in their tracks.
Thank goodness that Pynnönen believes in responsibly disclosing details of his findings to technology companies, and that Yahoo responded appropriately in this latest case.