"An uninitialized image decode buffer is used as the basis for an image rendered back to the client," the researcher says. "This leaks server-side memory."
"This type of vulnerability is fairly stealthy compared to an out-of-bounds read because the server will never crash," Evans added. "However, the leaked secrets will be limited to those present in freed heap chunks."
In a proof-of-concept (PoC) demonstration, the researcher attached an 18-byte exploit file as an email attachment, emailed it to himself, and then click on the image to launch the image preview pane in order to show how it is possible to compromise a Yahoo email account.
"The resulting JPEG image served to my browser is based on uninitialized, or previously freed, memory content," Evans said.
The vulnerability lies in the obscure RLE (Utah Raster Toolkit Run Length Encoded) image format. An attacker could simply create a crafted RLE image, send it, and create a loop of empty protocol commands which prompts the information leak.
Yahoo did not implement any form of whitelisting for ImageMagick decoders which allowed such malicious files to slip through the net.
After submitting the one-line exploit to Yahoo, the tech giant decided that it was time to retire the open-source component altogether, rather than risk any other security flaws placing user emails at risk. The ImageMagick bug has been patched and Evans was awarded a bounty payment of $14,000.
After declaring his resolve to give the cash -- a reward of $778 per byte -- to charity, Yahoo doubled the amount to $28,000.
In March, four Russians were charged by the US Department of Justice (DoJ) with stealing the credentials of over 500 million user accounts from Yahoo.