A researcher has been awarded $10,000 for responsibly disclosing a stored cross-site scripting (XSS) vulnerability in the web version of the Yahoo! Mail service.
The flaw was discovered and reported in late December by Jouko Pynnönen of Finland-based software company Klikki Oy. The security hole allowed malicious actors to send out emails containing hidden JavaScript code that would get executed as soon as the victim read the attacker’s message.
According to Pynnönen, an attacker could have exploited the vulnerability to compromise accounts, change their settings, and silently forward the victim’s emails. The expert demonstrated how a malicious hacker could have sent the victim’s inbox to an external website, and how they could have created an email virus that attached itself to all outgoing emails by silently adding malicious code to message signatures.
The problem was that the web version of Yahoo! Mail failed to properly filter potentially malicious code in HTML emails. Pynnönen noticed that the filters removed the value of boolean attributes, but the attribute itself and the equal sign following it were kept.
For example, inserting an image and using the “ismap” attribute, which defines an image with clickable areas, could have been used to execute arbitrary JavaScript with the following code:
Yahoo! Mail would transform the code so that when the email was opened, the image was rendered across the entire size of the window, ensuring that the code in the “onmouseover” attribute got executed without user interaction:
Pynnönen told SecurityWeek that Yahoo’s filter did not remove the equal sign along with the value of the attribute. Now that the vulnerability has been fixed, the equal sign is also removed, which makes the code look like this:
“It wasn’t specific to ismap. The same goes for a few other HTML attributes that work by being present or absent, e.g. <input type=checkbox checked> or <option selected>,” the researcher said via email. “In the corrected case above, the stuff after itemtype is no longer interpreted as separate style and onmouseover attributes, but the whole long string is the value of itemtype attribute. There is again no way to freely supply those ‘dangerous’ attributes.”
Yahoo! was informed about the vulnerability on December 26 and fixed it on January 6. The $10,000 bounty awarded to Pynnönen is one of the highest paid out by the company so far.
“Our Bug Bounty Program plays a critical role in the overall security posture of Yahoo, helping to ensure Yahoo products and systems are as secure as possible to provide the greatest value to our users. We’re proud of the security community that we’ve built through our program, with over 1,800 participating hackers who have helped Yahoo resolve more than 2,500 bugs,” Yahoo said in an emailed statement. “The vulnerability submitted by Mr. Pynnonen, and the subsequent review and action by our team is a perfect example of the success and vitality of our Bug Bounty program.”
The expert reported two other bugs to Yahoo in December: a stored XSS in Flickr, for which he earned $500, and an issue that Yahoo closed after determining that it had been previously disclosed by someone else.
In July 2015, Yahoo reported paying out more than $1 million dollars since the launch of its bug bounty program in October 2013.
The stored XSS found by Pynnönen affected the web version of Yahoo! Mail, but not the mobile applications. In December, researcher Ibrahim Raafat reported finding a stored XSS in the mobile version of the Yahoo! Mail website. The bug identified by Raafat allowed an attacker to execute malicious code as soon as the victim opened their Yahoo! Mail account from the mobile version of the website.
*Updated with statement from Yahoo!

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
Latest News
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Zoom Expands Privacy Options for European Customers
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Apple Unveils Upcoming Privacy and Security Features
