Connect with us

Hi, what are you looking for?



Researcher Earns $10,000 for Yahoo! Mail Flaw

A researcher has been awarded $10,000 for responsibly disclosing a stored cross-site scripting (XSS) vulnerability in the web version of the Yahoo! Mail service.

A researcher has been awarded $10,000 for responsibly disclosing a stored cross-site scripting (XSS) vulnerability in the web version of the Yahoo! Mail service.

The flaw was discovered and reported in late December by Jouko Pynnönen of Finland-based software company Klikki Oy. The security hole allowed malicious actors to send out emails containing hidden JavaScript code that would get executed as soon as the victim read the attacker’s message.

According to Pynnönen, an attacker could have exploited the vulnerability to compromise accounts, change their settings, and silently forward the victim’s emails. The expert demonstrated how a malicious hacker could have sent the victim’s inbox to an external website, and how they could have created an email virus that attached itself to all outgoing emails by silently adding malicious code to message signatures.

The problem was that the web version of Yahoo! Mail failed to properly filter potentially malicious code in HTML emails. Pynnönen noticed that the filters removed the value of boolean attributes, but the attribute itself and the equal sign following it were kept.

For example, inserting an image and using the “ismap” attribute, which defines an image with clickable areas, could have been used to execute arbitrary JavaScript with the following code: 

Yahoo Mail XSS

Yahoo! Mail would transform the code so that when the email was opened, the image was rendered across the entire size of the window, ensuring that the code in the “onmouseover” attribute got executed without user interaction: 

Yahoo Mail XSS

Pynnönen told SecurityWeek that Yahoo’s filter did not remove the equal sign along with the value of the attribute. Now that the vulnerability has been fixed, the equal sign is also removed, which makes the code look like this:

Advertisement. Scroll to continue reading.

Yahoo Mail XSS

“It wasn’t specific to ismap. The same goes for a few other HTML attributes that work by being present or absent, e.g. <input type=checkbox checked> or <option selected>,” the researcher said via email. “In the corrected case above, the stuff after itemtype is no longer interpreted as separate style and onmouseover attributes, but the whole long string is the value of itemtype attribute. There is again no way to freely supply those ‘dangerous’ attributes.”

Yahoo! was informed about the vulnerability on December 26 and fixed it on January 6. The $10,000 bounty awarded to Pynnönen is one of the highest paid out by the company so far.

“Our Bug Bounty Program plays a critical role in the overall security posture of Yahoo, helping to ensure Yahoo products and systems are as secure as possible to provide the greatest value to our users. We’re proud of the security community that we’ve built through our program, with over 1,800 participating hackers who have helped Yahoo resolve more than 2,500 bugs,” Yahoo said in an emailed statement. The vulnerability submitted by Mr. Pynnonen, and the subsequent review and action by our team is a perfect example of the success and vitality of our Bug Bounty program.

The expert reported two other bugs to Yahoo in December: a stored XSS in Flickr, for which he earned $500, and an issue that Yahoo closed after determining that it had been previously disclosed by someone else.

In July 2015, Yahoo reported paying out more than $1 million dollars since the launch of its bug bounty program in October 2013.

The stored XSS found by Pynnönen affected the web version of Yahoo! Mail, but not the mobile applications. In December, researcher Ibrahim Raafat reported finding a stored XSS in the mobile version of the Yahoo! Mail website. The bug identified by Raafat allowed an attacker to execute malicious code as soon as the victim opened their Yahoo! Mail account from the mobile version of the website.

*Updated with statement from Yahoo!

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.