Skip to main content

Yahoo Mail Flaw Could Allow Attackers To Read Emails, Infect Computers With No User Action

Jouko Pynnönen, a Finnish researcher from the Klikki Oy security firm, uncovered a vulnerability in Yahoo Mail that could allow malicious hackers to eavesdrop on users’ emails. The researcher uncovered a similar flaw in Yahoo Mail a year ago.

The Cross-Site Scripting (XSS) vulnerability in Yahoo’s email service could’ve allowed attackers to embed malicious code in people’s emails and infect their computers with malware. No interaction from the users, such as clicking on a link or opening a file, would have been necessary. The infection would have happened automatically as the users opened a malicious email.

How The Flaw Was Found

Pynnönen decided to take another go at looking for bugs in Yahoo Mail after finding an XSS vulnerability in the service last year. However, he didn’t expect to find another problem in the service’s basic HTML filtering.

He noticed the additional attachment options in Yahoo Mail, such as adding an attachment link through a third-party cloud storage provider, which he thought he could exploit. He ended up taking advantage of these additional options because Yahoo failed to properly filter any malicious code that can be embedded into these HTML emails.

“What caught my eye were the data-* HTML attributes. First, I realized my last year’s effort to enumerate HTML attributes allowed by Yahoo’s filter didn’t catch all of them,” Pynnönen said.“Second, since data-* HTML attributes are used to store application-specific data typically for JavaScript use, it seemed there was a new potential attack vector here. It would be possible to embed a number of HTML attributes that are passed through Yahoo’s HTML filter and treated specially,” he noted.

Impact

As a proof of concept, the researcher provided Yahoo with an email that, when viewed, would use AJAX to read the users’ inbox emails and send them to an attacker’s server. He also said that last year’s concept virus, which could automatically install itself on users’ computers when viewing an email, would’ve also worked using the same technique.

Pynnönen said the flaw was reported to Yahoo’s security team through the HackerOne bug bounty platform on November 12. The vulnerability was fixed on November 29. The researchers were rewarded with a $10,000 bounty.