Yahoo Mail Flaw Could Allow Attackers To Read Emails, Infect Computers With No User Action

Jouko Pynnönen, a Finnish researcher from the Klikki Oy security firm, uncovered a vulnerability in Yahoo Mail that could allow malicious hackers to eavesdrop on users’ emails. The researcher uncovered a similar flaw in Yahoo Mail a year ago.

The Cross-Site Scripting (XSS) vulnerability in Yahoo’s email service could’ve allowed attackers to embed malicious code in people’s emails and infect their computers with malware. No interaction from the users, such as clicking on a link or opening a file, would have been necessary. The infection would have happened automatically as the users opened a malicious email.

How The Flaw Was Found

Pynnönen decided to take another go at looking for bugs in Yahoo Mail after finding an XSS vulnerability in the service last year. However, he didn’t expect to find another problem in the service’s basic HTML filtering.

He noticed the additional attachment options in Yahoo Mail, such as adding an attachment link through a third-party cloud storage provider, which he thought he could exploit. He ended up taking advantage of these additional options because Yahoo failed to properly filter any malicious code that can be embedded into these HTML emails.

“What caught my eye were the data-* HTML attributes. First, I realized my last year’s effort to enumerate HTML attributes allowed by Yahoo’s filter didn’t catch all of them,” Pynnönen said.“Second, since data-* HTML attributes are used to store application-specific data typically for JavaScript use, it seemed there was a new potential attack vector here. It would be possible to embed a number of HTML attributes that are passed through Yahoo’s HTML filter and treated specially,” he noted.

Impact

As a proof of concept, the researcher provided Yahoo with an email that, when viewed, would use AJAX to read the users’ inbox emails and send them to an attacker’s server. He also said that last year’s concept virus, which could automatically install itself on users’ computers when viewing an email, would’ve also worked using the same technique.

Pynnönen said the flaw was reported to Yahoo’s security team through the HackerOne bug bounty platform on November 12. The vulnerability was fixed on November 29. The researchers were rewarded with a $10,000 bounty.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • bloodroses
    People still use yahoo email? I have one, but I haven't accessed in so long that I'd never be able to remember the password I used.
    Reply
  • tsnor
    Yahoo provides email service for other companies. For example Frontier email is run by Yahoo.
    Reply
  • daglesj
    Yahoo is the worst. If a customer calls me with an email problem or they start sending me spam it will be with a Yahoo account.
    Reply
  • DMLee74128
    I have to use Y-mail if I want to access Yahoo groups. Without it I can not access the group. Gmail is my primary email.
    Reply
  • Kimonajane
    Is this a Windows vulnerability? as was the code written to go for windows or does it reach onto OS X and Linux as well?
    Reply
  • dE_logics
    But ymail only works on Windows.

    That's what they said the last time I checked.

    Inside Yahoo, everything is proprietary BS which no one knows about; this's the primary reason for their demise.
    Reply
  • DMLee74128
    Y-mail is short for Yahoo Mail.

    It works on any platform as long as you use the mail on the web site.
    Reply
  • Effex
    Yes, people still use Yahoo Mail. Not everyone likes the interface of Gmail.
    Reply
  • tsnor
    18997593 said:
    But ymail only works on Windows.

    That's what they said the last time I checked.

    Inside Yahoo, everything is proprietary BS which no one knows about; this's the primary reason for their demise.

    Nope, standard imap or pop3 server. Your email client can be Linux, apple, android, or any other platform that supports the protocol. "...IMAP is the best way to connect your Yahoo Mail account to a desktop mail client or mobile app. .." https://help.yahoo.com/kb/SLN4075.html

    As far as the email servers at Yahoo goes, it is unlikely they are windows (because its not free). Agree with you they are likely running a proprietary mix of server hardware and software however that does not bother me ... they are surfacing industry standard email APIs.

    Reply