• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 22nd, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Surveillance

Yahoo patches critical vulnerability that allowed hackers to read any email

December 9th, 2016 Waqas Security, Hacking News, Privacy, Surveillance 0 comments
Yahoo patches critical vulnerability that allowed hackers to read any email
Share on FacebookShare on Twitter

The Internet giant Yahoo has fixed a highly critical cross-site scripting (XSS) security flaw in its users’ email system that allowed any attacker to read any email conversation at any time.

The security flaw was discovered and reported by a Finland-based security researcher Jouko Pynnonen who earned $10,000 in return as part of Yahoo’s bug bounty program on Hackerone. The seriousness of this flaw can be understood by the fact that all an attacker needed was to send an email and read the victim’s email – There was no need for the sending of a virus or tricking the victim into clicking a specific link.

Jouko Pynnonen is the same researcher who reported a serious bug in Yahoo last year that allowed an attacker to take over any user’s account by using XSS vulnerability. This time the writer decided to discover more flaws and ended up discovering the one that, if used by malicious actors, could have been devastating for the company.

Jouko Pynnonen writes in his blog post that the bug was in the email’s HTML filtering. After further digging Pynnonen sent an email with different kinds of attachments to inspect the “raw” HTML of that email. For security reasons Yahoo has a filtration process for HTML messages helping it to keep malicious code block from reader’s web browser, however, Pynnonen was able to bypass the filtration process by sending a YouTube link in the email allowing him to execute JavaScript code and read user’s emails.

“As long as the URL pointed to a white-listed website such as YouTube, it was not further sanity checked or encoded,” writes Pynnonen.

The good news is that the flaw has been fixed. However, a flaw like this would be the last thing Yahoo would look forward to especially after suffering a massive data breach in which 500 million user accounts were stolen or after the “special software” that was developed by Yahoo so NSA can read user’s email without any restriction. 

[fullsquaread][/fullsquaread]

Do you want to delete your Yahoo account permanently? Click here to go to our exclusive and comprehensive guide about why and how to delete your Yahoo email account permanently.

We recommend visiting Pynnonen’s blog for more technical understanding and screenshots.

  • Tags
  • Bug Bounty
  • hacking
  • internet
  • Privacy
  • security
  • Spying
  • Technology
  • Vulnerability
  • Yahoo
Facebook Twitter LinkedIn Pinterest
Previous article Japanese hosting company Kagoya hacked; credit card data stolen
Next article Bahamian Hacker Gets 5 Years Jail Time for Hacking, Leaking Celebrities Photos
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Massive privacy risk as hacker sold 2 million MyFreeCams user records

Massive privacy risk as hacker sold 2 million MyFreeCams user records

Gamarue malware found in UK Govt-funded laptops for homeschoolers

Gamarue malware found in UK Govt-funded laptops for homeschoolers

Shazam Vulnerability exposed location of Android, iOS users

Shazam Vulnerability exposed location of Android, iOS users

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Massive privacy risk as hacker sold 2 million MyFreeCams user records
Cyber Crime

Massive privacy risk as hacker sold 2 million MyFreeCams user records

19
Gamarue malware found in UK Govt-funded laptops for homeschoolers
Security

Gamarue malware found in UK Govt-funded laptops for homeschoolers

37
Shazam Vulnerability exposed location of Android, iOS users
Security

Shazam Vulnerability exposed location of Android, iOS users

331

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us