Yahoo fixes flaw allowing an attacker to read any user's emails

Yahoo has fixed a severe security vulnerability in its consumer email service that could have allowed an attacker to read a victim's email inbox.

The cross-site scripting (XSS) attack only required a victim to view an email in Yahoo Mail.

The internet giant paid out $10,000 to security researcher Jouko Pynnonen for privately disclosing the flaw through the HackerOne bug bounty,

In a write-up, Pynnonen said that the flaw was similar to last year's Yahoo Mail bug, which similarly let an attacker compromise a user's account. Yahoo filters HTML messages to ensure that malicious code won't make it through into the user's browser, but the researcher found that the filters didn't catch all of the malicious data attributes.

He explained that sending a specially-crafted email could have trigged malicious JavaScript to be immediately executed.

Pynnonen said in an email that exploiting the flaw was "rather easy," but finding the bug was difficult.

"I wouldn't say it's a basic bug and it's not something discoverable with automated tools [and scanners," he said.

A Yahoo spokesperson did not respond to a request for comment at the time of writing.

from Latest Topic for ZDNet in... http://ift.tt/2geOCMN