A researcher has been awarded $10,000 for responsibly disclosing a stored cross-site scripting (XSS) vulnerability in the web version of the Yahoo! Mail service.
The flaw was discovered and reported in late December by Jouko Pynnönen of Finland-based software company Klikki Oy. The security hole allowed malicious actors to send out emails containing hidden JavaScript code that would get executed as soon as the victim read the attacker’s message.
According to Pynnönen, an attacker could have exploited the vulnerability to compromise accounts, change their settings, and silently forward the victim’s emails. The expert demonstrated how a malicious hacker could have sent the victim’s inbox to an external website, and how they could have created an email virus that attached itself to all outgoing emails by silently adding malicious code to message signatures.
The problem was that the web version of Yahoo! Mail failed to properly filter potentially malicious code in HTML emails. Pynnönen noticed that the filters removed the value of boolean attributes, but the attribute itself and the equal sign following it were kept.
For example, inserting an image and using the “ismap” attribute, which defines an image with clickable areas, could have been used to execute arbitrary JavaScript with the following code:
Yahoo! Mail would transform the code so that when the email was opened, the image was rendered across the entire size of the window, ensuring that the code in the “onmouseover” attribute got executed without user interaction:
Pynnönen told SecurityWeek that Yahoo’s filter did not remove the equal sign along with the value of the attribute. Now that the vulnerability has been fixed, the equal sign is also removed, which makes the code look like this:
“It wasn’t specific to ismap. The same goes for a few other HTML attributes that work by being present or absent, e.g. <input type=checkbox checked> or <option selected>,” the researcher said via email. “In the corrected case above, the stuff after itemtype is no longer interpreted as separate style and onmouseover attributes, but the whole long string is the value of itemtype attribute. There is again no way to freely supply those ‘dangerous’ attributes.”
Yahoo! was informed about the vulnerability on December 26 and fixed it on January 6. The $10,000 bounty awarded to Pynnönen is one of the highest paid out by the company so far.
“Our Bug Bounty Program plays a critical role in the overall security posture of Yahoo, helping to ensure Yahoo products and systems are as secure as possible to provide the greatest value to our users. We’re proud of the security community that we’ve built through our program, with over 1,800 participating hackers who have helped Yahoo resolve more than 2,500 bugs,” Yahoo said in an emailed statement. “The vulnerability submitted by Mr. Pynnonen, and the subsequent review and action by our team is a perfect example of the success and vitality of our Bug Bounty program.”
The expert reported two other bugs to Yahoo in December: a stored XSS in Flickr, for which he earned $500, and an issue that Yahoo closed after determining that it had been previously disclosed by someone else.
In July 2015, Yahoo reported paying out more than $1 million dollars since the launch of its bug bounty program in October 2013.
The stored XSS found by Pynnönen affected the web version of Yahoo! Mail, but not the mobile applications. In December, researcher Ibrahim Raafat reported finding a stored XSS in the mobile version of the Yahoo! Mail website. The bug identified by Raafat allowed an attacker to execute malicious code as soon as the victim opened their Yahoo! Mail account from the mobile version of the website.
*Updated with statement from Yahoo!

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
