14 DAY TRIAL // Yahoo Mail can hardly be considered a secure email service after the parent company experienced a massive breach exposing 500 million accounts in 2014 but decided to keep it secret, and yet, every new vulnerability is still worrying for its users.
Security researcher Jouko Pynnonen discovered a cross-site scripting (XSS) security flaw in Yahoo Mail that would have essentially allowed an attacker to access any account and read emails freely. Yahoo has already patched this flaw last week and offered the researcher a $10,000 reward according to the company’s bounty program.
No user interaction needed
Specifically, Pynnonen explained that it was possible for an attacker to infiltrate into an account by simply bypassing Yahoo’s HTML filtering using links hiding malicious JavaScript code. What’s worse is that users didn’t even have to click on links or open files and it was enough for them to simply open an email sent by the hacker in order to become vulnerable.
“The flaw allowed an attacker to read a victim's email or create a virus infecting Yahoo Mail accounts, among other things. The attack required the victim to view an email sent by the attacker. No further interaction (such as clicking on a link or opening an attachment) was required,” the researcher notes.
Yahoo was informed about the hack on November 12 and the company delivered a fix on November 29, so all users are supposed to be safe now.
For those who forgot it, Yahoo Mail was hacked in 2014 as part of a breach that the company kept secret until earlier this year. Approximately 500 million accounts were exposed at that time, with Yahoo admitting that hackers accessed user information such as names, phone numbers, passwords, and email addresses.
What’s also worrying is that Pynnonen discovered a similar XSS vulnerability last year that also allowed attackers to breach accounts and read any email, so it goes without saying that Yahoo should spend more time searching for bugs like these in order to boost account security.