Infosec researcher pockets $10,000 for his work

Jan 19, 2016 10:08 GMT  ·  By

Yahoo! has fixed an XSS (cross-site scripting) bug that would have allowed attackers to fully compromise email accounts just by sending a malicious email. To have their account taken over, the victim would have only needed to open and view the email.

The researcher who discovered this security bug is Jouko Pynnönen, a Finish infosec professional.

According to Pynnönen, an attacker could craft malicious code that would exploit this XSS flaw and use it to "compromise the [victim's] account, change its settings, and forward or send email without the user's consent."

Yahoo! doesn't properly sanitize all HTML tags entered in an email's body

The issue resides in how Yahoo! Mail deals with HTML tags embedded in the email's main body. These HTML tags are used to format and stylize the email's text, allowing users to add bold text, insert images, embed videos, create lists, and so on.

Pynnönen wanted to see how Yahoo! handles each HTML tag in turn, so he crafted an email that featured all the known HTML tags, each including different attributes.

He sent the email to himself and then evaluated to see what Yahoo! was filtering out and what was left untouched.

He discovered that in HTML tags that had the structure "< TAG_NAME attribute="value1 value2" / >" he could replace value2 with malicious code. A space must be used to separate the two values.

Users only had to open the malicious email

Using this technique, he crafted a proof-of-concept email and tested his findings on his own account, being able to modify his account's signature (video below).

Since the malicious code is in the message's body, the code is executed every time a user opens to view an email.

The bug is only present on Yahoo! Mail's Web interface, and not in the mobile app.

Pynnönen informed Yahoo! of the issue on December 26, 2015, via the company's HackerOne bug bounty program and was awarded $10,000 (€9,200) for his work.

Yahoo! said that this XSS flaw was never used in live attacks. The company's developers fixed the issue on January 6, 2016.