The Internet giant Yahoo has fixed a highly critical cross-site scripting (XSS) security flaw in its users’ email system that allowed any attacker to read any email conversation at any time.
The security flaw was discovered and reported by a Finland-based security researcher Jouko Pynnonen who earned $10,000 in return as part of Yahoo’s bug bounty program on Hackerone. The seriousness of this flaw can be understood by the fact that all an attacker needed was to send an email and read the victim’s email – There was no need for the sending of a virus or tricking the victim into clicking a specific link.
Jouko Pynnonen is the same researcher who reported a serious bug in Yahoo last year that allowed an attacker to take over any user’s account by using XSS vulnerability. This time the writer decided to discover more flaws and ended up discovering the one that, if used by malicious actors, could have been devastating for the company.
Jouko Pynnonen writes in his blog post that the bug was in the email’s HTML filtering. After further digging Pynnonen sent an email with different kinds of attachments to inspect the “raw” HTML of that email. For security reasons Yahoo has a filtration process for HTML messages helping it to keep malicious code block from reader’s web browser, however, Pynnonen was able to bypass the filtration process by sending a YouTube link in the email allowing him to execute JavaScript code and read user’s emails.
“As long as the URL pointed to a white-listed website such as YouTube, it was not further sanity checked or encoded,” writes Pynnonen.
The good news is that the flaw has been fixed. However, a flaw like this would be the last thing Yahoo would look forward to especially after suffering a massive data breach in which 500 million user accounts were stolen or after the “special software” that was developed by Yahoo so NSA can read user’s email without any restriction.
Do you want to delete your Yahoo account permanently? Click here to go to our exclusive and comprehensive guide about why and how to delete your Yahoo email account permanently.
We recommend visiting Pynnonen’s blog for more technical understanding and screenshots.