The vulnerability could have been used to extract messages from users and to inject malicious code their outgoing messages
Network
security and
ethical hacking specialists from the International Institute of Cyber Security
reported that Yahoo has corrected a critical cross-site
scripting vulnerability (XSS) in the Yahoo Mail service. The
vulnerability could have been exploited by malicious users to extract messages
from the victims, even to inject malicious code into their outgoing messages.
The vulnerability could have been exploited by
groups of hackers to extract the victims’ emails and forward them to external
websites under their control; they might even have managed to make changes to
the configuration of compromised Yahoo Mail accounts to perform other
unauthorized activities.
Network security specialists believe that this
vulnerability is related to inadequate filtering of malicious HTML code on email
platforms. This XSS vulnerability was discovered hosted in Yahoo Mail at the
end of last year, although Yahoo
could fix it until January 2019. The investigator who reported the
vulnerability to the company was rewarded with $10k USD.
Finland born, Jouko Pynnönen, the network
security expert who reported the vulnerability, mentioned that it is not
possible to disclose technical details about the vulnerability because Oath, Yahoo
proprietary company, has asked for it, but he did mention that it’s related to
Yahoo Mail HTML-code filtering.
Pynnönen has discovered other similar flaws in
the past. For example, in 2015 reported XSS vulnerability in Yahoo Mail which
was also granted a reward. That specific flaw could have allowed a hacker to
send emails with hidden JavaScript code, which would run once the user
interacted with the message.
In addition, in 2016 the expert discovered a
new vulnerability XSS in the same email service, which could have exposed the
personal messages of any user, which also received a reward a $10k USD bounty
from Yahoo.
