Critical Yahoo Mail Flaw Patched, $10K Bounty Paid

Security researcher Klikki Oy has received a $10,000 bug bounty for discovering a 
security flaw in Yahoo Mail. The XSS vulnerability discovered could have allowed a
 potential attacker to forward the contents of the victim’s inbox to an external 
website and compromise the account itself. Yahoo learned about the threat last 
month, implemented a fix and rewarded the researcher through a bug bounty 

According to the original post, the vulnerability exploited the way Yahoo Mail 
processes HTML-formatted email messages: “As most email solutions these days, 
Yahoo Mail displays HTML-formatted email messages after filtering any potentially malicious code. The problem lies in this process. Certain malformed HTML code could pass the filter.” In this case, the malformed HTML code could be used to inject an email message with malicious JavaScript code. In the proof of concept video, this allowed the researcher to send an email with such Javascript code which forwarded the contents of the victim’s inbox to a specified website and to add additional code to the victim’s email signature, attaching it to all outgoing emails without the user’s knowledge.

Klikki Oy was awarded the $10,000 bug bounty through the HackerOne bug 
bounty program, a vulnerability management platform that works with the security
 research community. The platform was created by security professionals from 
Facebook, Microsoft, and Google, and claims to have facilitated the discovery 
and amendment of almost 17,000 bugs and to have paid out $5.83 million in 
such bounties. According to Litmus Labs, Yahoo Mail is the seventh most popular 
email client in the world. The vulnerability only affected web-based versions of 
Yahoo Mail, not its mobile application. 
 Pynnonen said he provided Yahoo with two proof-of-concept exploits.

Post a Comment