The déjà vu is real for Finnish security researcher Jouko Pynnonen.
Just shy of a year ago, Pynnonen privately disclosed a stored cross-site scripting vulnerability in Yahoo Mail, and was rewarded with a $10,000 bounty through Yahoo’s HackerOne program.
Fast forward to last month, and there was Pynnonen again finding and disclosing a brand new stored XSS bug in Yahoo Mail and collecting another $10,000 bounty.
The vulnerability was patched Nov. 29, 17 days after Pynnonen reported the issue to Yahoo. The bug presented users with similar risks as the 2015 entry, namely an attacker could exploit the flaw to read a victim’s email, infect a victim’s machine with malware or exploit other vulnerabilities. A victim, meanwhile, need only view an email sent by an attacker. No other interaction is necessary, Pynnonen said.
“Basically an attacker, by crafting a specially formatted email, can embed JavaScript in it so that the script will be executed in the victim’s browser when the email is viewed on Yahoo Mail,” Pynnonen said in an email to Threatpost. “The attacker didn’t need special access. In fact the attack can be carried out without even registering on Yahoo Mail. Only the victim’s Yahoo email address is needed.”
In a description of the vulnerability published Thursday, Pynnonen explained how he could format an email with malicious data-* attributes that would sneak malicious JavaScript past Yahoo’s filters that execute by abusing the way Yahoo Mail displays links to whitelisted sites such as YouTube.
YouTube video links in Yahoo Mail, for example, generate a link enhancer card which provides a preview of the content in an email message.
“When a message containing this kind of markup is opened in Yahoo Mail, it will add the video embedded in an <IFRAME> tag. A share button is also displayed next to the video. These features are built using the said data-* attributes by Yahoo Mail’s JavaScript code.
I tried creating an email with ‘abusive’ data-* attributes and bingo!, found a pathological case pretty quickly. Inserting a quote symbol in the data-url value caused broken HTML in the share button. As long as the URL pointed to a white-listed website such as YouTube, it was not further sanity checked or encoded. The value was used as is for setting a div innerHTMLto create the button.
When this was viewed on Yahoo Mail, the link-enhancing JavaScript would take the data-url attribute to render the button. The HTML fragment inside the attribute would be rendered on the page – an <IMG> tag with an arbitrary onerror attribute, which caused the attacker-supplied JavaScript to be immediately executed.”
Last Dec. 26, Pynnonen disclosed a similar bug to Yahoo that was patched Jan. 6. The $10,000 bounties are among the largest paid out by Yahoo’s bounty program.
“The impact is the same,” Pynnonen said in comparing the two vulnerabilities. “The difference is in how the email has to be formatted in order to achieve script execution.”
