Yahoo fixes flaw allowing an attacker to read any user's emails

The company issued a $10,000 reward to the researcher for privately reporting the flaw.
Written by Zack Whittaker, Contributor

Yahoo has fixed a severe security vulnerability in its consumer email service that could have allowed an attacker to read a victim's email inbox.

The cross-site scripting (XSS) attack only required a victim to view an email in Yahoo Mail.

The internet giant paid out $10,000 to security researcher Jouko Pynnonen for privately disclosing the flaw through the HackerOne bug bounty,

In a write-up, Pynnonen said that the flaw was similar to last year's Yahoo Mail bug, which similarly let an attacker compromise a user's account. Yahoo filters HTML messages to ensure that malicious code won't make it through into the user's browser, but the researcher found that the filters didn't catch all of the malicious data attributes.

He explained that sending a specially crafted email could have trigged malicious JavaScript to be immediately executed.

Pynnonen said in an email that exploiting the flaw was "rather easy," but finding the bug was difficult.

"I wouldn't say it's a basic bug, and it's not something discoverable with automated tools [and scanners," he said.

A Yahoo spokesperson said Friday: "Yahoo has developed one of the largest and most successful bug bounty programs in the industry. We've paid out more than $2 million in bounties, resolved more than 3,000 security bugs and maintain a 'hackership' of more than 2,000 researchers, some of whom make careers out of it. This important program is leveraging skilled hackers from around the world to help strengthen the security of our products."

Editorial standards