A critical vulnerability in Yahoo Mail that could give attackers complete control of an account was patched two weeks ago.
The flaw was privately disclosed Dec. 26 by Finnish researcher Jouko Pynnonen and patched Jan. 6. Pynnonen earned himself a $10,000 bounty, one of the highest paid out by Yahoo through its HackerOne program.
Pynnonen discovered a stored cross-site scripting vulnerability that allowed him to read or send mail from a compromised account, change settings or redirect messages to an attacker’s server. The victim, he said, need only view the email. No other interaction with attachments or links was necessary to exploit the flaw.
Pynnonen said he was not aware of any public exploits.
Pynnonen explained that in testing Yahoo Mail, a message was created with all known HTML tags and attributes in order to analyze which were allowed by Yahoo. He quickly learned that if certain Boolean HTML attributes were given a value, the filter stripped away the value.
Pynnonen said he provided Yahoo with two proof-of-concept exploits.
“One sends your inbox to an external website if you open a specially crafted malicious email. The email looks harmless to the victim – the transfer happens in the background,” he said. “The second PoC was a virus that infects the victim’s email signature so that the malware would be included in each email they send thereafter.”
HackerOne and Bugcrowd are the leading independent bug bounty platforms. Yahoo runs its bounty program through HackerOne, which said in 2015 it had a 20 percent increase in the number of researchers participating in its program compared to the previous year. It also said that in 2015, its average bounty payout through its program was $1,082, and the highest was an $18,000 reward paid out to Daniel LeCheminant for five vulnerabilities in React components and the Markdown parser. Overall, its program has fixed 16,901 and paid out $5.83 million.