Jouko Pynnönen, a Finnish researcher from the Klikki Oy security firm, uncovered a vulnerability in Yahoo Mail that could allow malicious hackers to eavesdrop on users’ emails. The researcher uncovered a similar flaw in Yahoo Mail a year ago.
The Cross-Site Scripting (XSS) vulnerability in Yahoo’s email service could’ve allowed attackers to embed malicious code in people’s emails and infect their computers with malware. No interaction from the users, such as clicking on a link or opening a file, would have been necessary. The infection would have happened automatically as the users opened a malicious email.
How The Flaw Was Found
Pynnönen decided to take another go at looking for bugs in Yahoo Mail after finding an XSS vulnerability in the service last year. However, he didn’t expect to find another problem in the service’s basic HTML filtering.
He noticed the additional attachment options in Yahoo Mail, such as adding an attachment link through a third-party cloud storage provider, which he thought he could exploit. He ended up taking advantage of these additional options because Yahoo failed to properly filter any malicious code that can be embedded into these HTML emails.
As a proof of concept, the researcher provided Yahoo with an email that, when viewed, would use AJAX to read the users’ inbox emails and send them to an attacker’s server. He also said that last year’s concept virus, which could automatically install itself on users’ computers when viewing an email, would’ve also worked using the same technique.
Pynnönen said the flaw was reported to Yahoo’s security team through the HackerOne bug bounty platform on November 12. The vulnerability was fixed on November 29. The researchers were rewarded with a $10,000 bounty.