Issue affected only Yahoo's Basic email interface

Mar 15, 2016 08:20 GMT  ·  By

Yahoo! has patched an email spoofing issue that allowed attackers to send malicious emails in the name of any person they wished.

Yahoo! Mail received a more polished, "modern" update a few years back, after Marissa Mayer took over the company. Since not all users liked the new email UI, the company still allowed the old interface to exist alongside the new one for a while and then created a "Basic" view for their newer UI, with far less JavaScript, so there would be a lower chance of things going astray.

Security researcher Lawrence Amer of Vulnerability Lab has come across an issue in Yahoo! Mail's Basic interface, often called Classic Mode, which allows attackers an easy avenue to spoof the incoming address of their emails.

Researcher managed to spoof an email just by tweaking with a URL

The researcher says that he was able to easily capture HTTP requests sent to the server whenever he was sending emails from this Basic interface.

In the request's URL, he found the parameter responsible for altering the "from address" belonging to each newly created email, alongside the sender's name.

By tweaking these two, the researcher was capable of sending emails that looked like they were coming from other persons, without Yahoo! detecting the issue and flagging them as spam or scams.

Ever since he discovered the issue back in October 2015, the researcher has been working with Yahoo! to address the bug, which received its final patch a week ago, on March 7, 2016.

Issue was rated as medium severity but has a potential for harm

The bug was a serious issue since it allowed people to spoof email addresses and send legitimate-looking emails. A bug like this would have been worth thousands of dollars on the hacking black market since it would have provided the perfect avenue for sending effective phishing emails.

A simple scenario would be to send an email made to look like it was coming from Yahoo's security team, asking users to reset their passwords or validate accounts, but in reality, sending victims to a malicious URL where their login and account details would be recorded.

A video depicting the vulnerability and how it could be exploited are presented below, courtesy of Mr. Amer.