Skip to content ↓ | Skip to navigation ↓

Yahoo Mail! has patched a stored cross-site scripting (XSS) vulnerability and awarded a researcher $10,000 for finding the flaw.

Discovered by Finnish researcher Jouko Pynnonen, the bug allowed an attacker to embed malicious Javascript code into a specially crafted email. The code would automatically execute whenever the message was viewed, subsequently allowing the attacker to send and receive email from the compromised account, change settings, or redirect mail to a server of their choice.

“The vulnerability can be used to execute JavaScript in the victim’s browser when logged on Yahoo. An attacker can do many things with such JavaScript. One example was simply reading the victim’s email and forwarding it elsewhere,” Pynnonen told Threatpost. “Another example is to copy a malicious code in the victim’s email settings so that the code would replicate itself to all outgoing emails. More specifically the code could be inserted in the victim’s email signature which automatically goes out with each email.”

There are currently no known exploits for this vulnerability.

In a blog post, the researcher explains that he created the bug based on the fact that certain malformed HTML code can pass through Yahoo! Mail’s filters. More specifically, Pynnonen found that he could insert unrestricted HTML attributes in tags that allow a “boolean” attribute, which he could exploit to execute malicious code.

A proof-of-concept demo of the exploit can be viewed below:

On December 26th, 2015, the researcher reported the vulnerability to Yahoo! Mail via its HackerOne bug bounty program, which announced last summer that it had awarded $1 million to researchers over the course of a year.

Yahoo! Mail fixed the vulnerability on January 6th and awarded Pynnonen $10,000 for his discovery. This is more than what some researchers have received in the past for their submissions to the second largest email service’s bug bounty program.