Critical Yahoo Mail Flaw Patched, $10K Bounty Paid

A researcher earned a $10,000 bounty from Yahoo for a stored cross-site scripting vulnerability in Yahoo Mail.

A critical vulnerability in Yahoo Mail that could give attackers complete control of an account was patched two weeks ago.

The flaw was privately disclosed Dec. 26 by Finnish researcher Jouko Pynnonen and patched Jan. 6. Pynnonen earned himself a $10,000 bounty, one of the highest paid out by Yahoo through its HackerOne program.

Pynnonen discovered a stored cross-site scripting vulnerability that allowed him to read or send mail from a compromised account, change settings or redirect messages to an attacker’s server. The victim, he said, need only view the email. No other interaction with attachments or links was necessary to exploit the flaw.

“The vulnerability can be used to execute JavaScript in the victim’s browser when logged on Yahoo. An attacker can do many things with such JavaScript. One example was simply reading the victim’s email and forwarding it elsewhere,” Pynnonen told Threatpost. “Another example is to copy a malicious code in the victim’s email settings so that the code would replicate itself to all outgoing emails. More specifically the code could be inserted in the victim’s email signature which automatically goes out with each email.”

Pynnonen said he was not aware of any public exploits.

In a report published yesterday, Pynnonen said certain malformed HTML and JavaScript could bypass Yahoo’s filters searching for malicious code in emails. Only the web-based version of Yahoo Mail was affected; the mobile app was not, Pynnonen said.

Pynnonen explained that in testing Yahoo Mail, a message was created with all known HTML tags and attributes in order to analyze which were allowed by Yahoo. He quickly learned that if certain Boolean HTML attributes were given a value, the filter stripped away the value.

“The confusion can be exploited to insert unrestricted HTML attributes in tags that allow a ‘boolean’ attribute,” Pynnonen wrote. Any JavaScript inserted into the attribute is then executed without the need for user interaction.


Pynnonen said he provided Yahoo with two proof-of-concept exploits.

“One sends your inbox to an external website if you open a specially crafted malicious email. The email looks harmless to the victim – the transfer happens in the background,” he said. “The second PoC was a virus that infects the victim’s email signature so that the malware would be included in each email they send thereafter.”

HackerOne and Bugcrowd are the leading independent bug bounty platforms. Yahoo runs its bounty program through HackerOne, which said in 2015 it had a 20 percent increase in the number of researchers participating in its program compared to the previous year. It also said that in 2015, its average bounty payout through its program was $1,082, and the highest was an $18,000 reward paid out to Daniel LeCheminant for five vulnerabilities in React components and the Markdown parser. Overall, its program has fixed 16,901 and paid out $5.83 million.

Suggested articles