Security Experts:

Researcher Earns $10,000 for Yahoo! Mail Flaw

A researcher has been awarded $10,000 for responsibly disclosing a stored cross-site scripting (XSS) vulnerability in the web version of the Yahoo! Mail service.

The flaw was discovered and reported in late December by Jouko Pynnönen of Finland-based software company Klikki Oy. The security hole allowed malicious actors to send out emails containing hidden JavaScript code that would get executed as soon as the victim read the attacker’s message.

According to Pynnönen, an attacker could have exploited the vulnerability to compromise accounts, change their settings, and silently forward the victim’s emails. The expert demonstrated how a malicious hacker could have sent the victim’s inbox to an external website, and how they could have created an email virus that attached itself to all outgoing emails by silently adding malicious code to message signatures.

The problem was that the web version of Yahoo! Mail failed to properly filter potentially malicious code in HTML emails. Pynnönen noticed that the filters removed the value of boolean attributes, but the attribute itself and the equal sign following it were kept.

For example, inserting an image and using the “ismap” attribute, which defines an image with clickable areas, could have been used to execute arbitrary JavaScript with the following code: 

Yahoo Mail XSS

Yahoo! Mail would transform the code so that when the email was opened, the image was rendered across the entire size of the window, ensuring that the code in the “onmouseover” attribute got executed without user interaction: 

Yahoo Mail XSS

Pynnönen told SecurityWeek that Yahoo’s filter did not remove the equal sign along with the value of the attribute. Now that the vulnerability has been fixed, the equal sign is also removed, which makes the code look like this:

Yahoo Mail XSS

“It wasn't specific to ismap. The same goes for a few other HTML attributes that work by being present or absent, e.g. <input type=checkbox checked> or <option selected>,” the researcher said via email. “In the corrected case above, the stuff after itemtype is no longer interpreted as separate style and onmouseover attributes, but the whole long string is the value of itemtype attribute. There is again no way to freely supply those ‘dangerous’ attributes.”

Yahoo! was informed about the vulnerability on December 26 and fixed it on January 6. The $10,000 bounty awarded to Pynnönen is one of the highest paid out by the company so far.

“Our Bug Bounty Program plays a critical role in the overall security posture of Yahoo, helping to ensure Yahoo products and systems are as secure as possible to provide the greatest value to our users. We’re proud of the security community that we’ve built through our program, with over 1,800 participating hackers who have helped Yahoo resolve more than 2,500 bugs,” Yahoo said in an emailed statement. The vulnerability submitted by Mr. Pynnonen, and the subsequent review and action by our team is a perfect example of the success and vitality of our Bug Bounty program.

The expert reported two other bugs to Yahoo in December: a stored XSS in Flickr, for which he earned $500, and an issue that Yahoo closed after determining that it had been previously disclosed by someone else.

In July 2015, Yahoo reported paying out more than $1 million dollars since the launch of its bug bounty program in October 2013.

The stored XSS found by Pynnönen affected the web version of Yahoo! Mail, but not the mobile applications. In December, researcher Ibrahim Raafat reported finding a stored XSS in the mobile version of the Yahoo! Mail website. The bug identified by Raafat allowed an attacker to execute malicious code as soon as the victim opened their Yahoo! Mail account from the mobile version of the website.

*Updated with statement from Yahoo!

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.