Image
“The vulnerability can be used to execute JavaScript in the victim’s browser when logged on Yahoo. An attacker can do many things with such JavaScript. One example was simply reading the victim’s email and forwarding it elsewhere,” Pynnonen told Threatpost. “Another example is to copy a malicious code in the victim’s email settings so that the code would replicate itself to all outgoing emails. More specifically the code could be inserted in the victim’s email signature which automatically goes out with each email.”There are currently no known exploits for this vulnerability. In a blog post, the researcher explains that he created the bug based on the fact that certain malformed HTML code can pass through Yahoo! Mail's filters. More specifically, Pynnonen found that he could insert unrestricted HTML attributes in tags that allow a "boolean" attribute, which he could exploit to execute malicious code. A proof-of-concept demo of the exploit can be viewed below: On December 26th, 2015, the researcher reported the vulnerability to Yahoo! Mail via its HackerOne bug bounty program, which announced last summer that it had awarded $1 million to researchers over the course of a year. Yahoo! Mail fixed the vulnerability on January 6th and awarded Pynnonen $10,000 for his discovery. This is more than what some researchers have received in the past for their submissions to the second largest email service's bug bounty program.
