There was a serious security flaw in the Yahoo Mail that enabled an attacker to attach malicious code to a victim’s outgoing messages or read any email in the victim’s inbox just by having the victim open a carefully crafted email.
Yahoo patched the vulnerability last week, closing a hole that the researcher who discovered it said was dead simple to exploit. The bug was a stored cross-site scripting vulnerability and was nearly identical to one the researcher, Jouko Pynnönen discovered earlier this year. The issue he found involves the way that Yahoo Mail handled some specific HTML attributes. Pynnönen found that by inserting some HTML with malicious attributes into an email, he could get access to the target’s inbox once the victim opened the message.
Pynnönen said he came across the vulnerability after looking at the various HTML attributes and the way Yahoo Mail processed them.
“I tried creating an email with ‘abusive’ data-* attributes and bingo!, found a pathological case pretty quickly. Inserting a quote symbol in the data-url value caused broken HTML in the share button. As long as the URL pointed to a white-listed website such as YouTube, it was not further sanity checked or encoded. The value was used as is for setting a div innerHTMLto create the button.”
Pynnönen reported the vulnerability to Yahoo through the HackerOne bug bounty platform and the company patched the bug last week. This is the second stored XSS that Pynnönen has discovered in Yahoo Mail. In January he disclosed a similar flaw, which Yahoo fixed.