Yahoo fixes flaw allowing an attacker to read any user's emails

The company issued a $10,000 reward to the researcher for privately reporting the flaw.

Yahoo has fixed a severe security vulnerability in its consumer email service that could have allowed an attacker to read a victim's email inbox.

These were the biggest hacks, leaks and data breaches of 2016

Over two billion records were stolen this year alone -- and the year isn't over yet.

Read More

The cross-site scripting (XSS) attack only required a victim to view an email in Yahoo Mail.

The internet giant paid out $10,000 to security researcher Jouko Pynnonen for privately disclosing the flaw through the HackerOne bug bounty,

In a write-up, Pynnonen said that the flaw was similar to last year's Yahoo Mail bug, which similarly let an attacker compromise a user's account. Yahoo filters HTML messages to ensure that malicious code won't make it through into the user's browser, but the researcher found that the filters didn't catch all of the malicious data attributes.

He explained that sending a specially crafted email could have trigged malicious JavaScript to be immediately executed.

Pynnonen said in an email that exploiting the flaw was "rather easy," but finding the bug was difficult.

"I wouldn't say it's a basic bug, and it's not something discoverable with automated tools [and scanners," he said.

A Yahoo spokesperson said Friday: "Yahoo has developed one of the largest and most successful bug bounty programs in the industry. We've paid out more than $2 million in bounties, resolved more than 3,000 security bugs and maintain a 'hackership' of more than 2,000 researchers, some of whom make careers out of it. This important program is leveraging skilled hackers from around the world to help strengthen the security of our products."

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All