Yahoo Mail flaw gets fixed, and a researcher nets $10K

Yahoo Mail flaw gets fixed, and a researcher nets $10K

Yahoo Mail is one of the company’s most important products.


A critical flaw in Yahoo Mail, which might have allowed attackers to hijack accounts, has been fixed.

The vulnerability would have allowed the embedding of malicious JavaScript code in tailored email messages. A victim would have needed to do nothing else but read the message, which would then execute the code and give cyberattackers the ability to fully compromise the account, hijack settings, and either forward or send email to the attacker’s server without the victim’s knowledge or consent.

The bug was fixed in early January, not long after Yahoo was informed about the security issue through its HackerOne bug bounty program. It was disclosed privately to the Sunnyvale, California-based company by security researcher Jouko Pynnönen, who was awarded $10,000 for his efforts.

Pynnönen said the vulnerability was patched before it affected any real-world users.

According to the researcher, the problem lay in how Yahoo filters HTML-formatted email messages. While the company performs this task to prevent malicious code from landing in user inboxes, Pynnönen says “certain malformed HTML code could pass the filter.”

The proof-of-concept video below demonstrates how the vulnerability could be exploited to forward a compromised inbox to an external server, as well as how a virus could be loaded to attach itself to all outgoing emails sent by a victim.

The vulnerability affected all versions of Yahoo Mail but not the tech giant’s accompanying mobile application.

This story originally appeared at ZDNet under the headline “Critical Yahoo email flaw patched through bug bounty program.”