Yahoo, an online mega giant in email industry, has patched a critical vulnerability in their security. Had they not patched this security vulnerability, then their mail service would be vulnerable to attacking and exploiting. This would have allowed any hacker to read any user’s inbox in Yahoo Mail.
Yahoo Mail Attackers!
Jouko Pynnonen is a Finnish Security researcher. He reported for the first time that a DOM based persistent XSS (cros-site scripting) in Yahoo mail allowed any attacker to send emails with malicious code.
Juoko posted in his blog that was published a few days ago. The researcher showed the readers of his blog how an attacker could have read your email inbox if you are using yahoo mail. He demonstrated that how could anyone send a malicious code to an external site. A new virus is made from this and it is attacked to all the outgoing mails. It is done by adding that malicious code script to message signatures. It is quite known that the malicious code is hidden deep into the message body. The code will be activated as soon as the victim opens email. There is even a hidden payload script that is sent to external website controlled by the alleged hacker.
This issue had been possible because of Yahoo’s carelessness to filter malicious code in HTML emails that could have potentially harmed anyone’s computer emails.
In his blog post, Jouko told that he found the vulnerability when he force fed every known HTML tags. He observed that Yahoo would weed out and sieve the HTML that are malicious but there were many malicious HTML that were able to surpass through Yahoo’s HTML filter.
In his blog post, the Finnish researcher wrote, “As a proof of concept I supplied Yahoo Security with an email that, when viewed, could use AJAX to read the user’s inbox xontents and send it to the hacker’s server.”
When this Finnish hacker informed the Yahoo team about this vulnerability, he was awarded a $10,000 bounty. Yahoo team informed the media that he disclosed this flaw in Yahoo email privately and that is why he was awarded a bounty sum of $10,000. Even in December, he had earned $500 of bounty sum. He reported a same vulnerability in the web version of yahoo Mail service earlier this year.