A flaw in the Yahoo Email service allowed hackers to access target’s emails

Pierluigi Paganini December 08, 2016

The Finnish security expert Jouko Pynnönen discovered a vulnerability in the Yahoo email service that allowed hackers to read anyone messages.

A vulnerability in the Yahoo email service allowed hackers to read anyone messages. The giant IT has recently patched the flaw that was discovered by Jouko Pynnönen, a Finnish Security researcher from security firm Klikki Oy.

Pynnönen discovered a DOM based persistent Cross-Site Scripting in Yahoo mail, an attacker could have exploited it to send emails embedded with malicious code.

“A security vulnerability in Yahoo Mail was fixed last week. The flaw allowed an attacker to read a victim’s email or create a virus infecting Yahoo Mail accounts, among other things.” states a blog post published by the Klikki Oy company.

“The attack required the victim to view an email sent by the attacker. No further interaction (such as clicking on a link or opening an attachment) was required.”

The blog post details how to exploit the flaw in Yahoo email, a malicious attacker could have sent the victim’s inbox to an external site, and created a malicious code is sent as an attachment to all outgoing emails. The dirty job could be done by a malicious script that is secretly added to message signatures, this means that the malicious code is embedded in the message’s body.

Yahoo email

Once the victim will receive the emails, the code will be executed while he opens the message. The malicious script will covertly submit victim’s inbox content to an external website controlled by the attacker.

The experts explained that the Yahoo Mail failed to properly filter malicious code embedded in the HTML emails.

“However in the email composing view I noticed various attachment options to which I didn’t give much attention last year. I composed an email containing different kinds of attachments and sent it to an external mailbox. This way I could inspect the “raw” HTML this kind of email contains.” states the post.

“It would be possible to embed a number of HTML attributes that are passed through Yahoo’s HTML filter and treated specially,” 

Composing different email messages with different attachments, the researchers analyzed the HTML code generated by the Yahoo Email service.

He noticed that not all the HTML attributes are properly validated, he also discovered that some of them could be used to store application-specific data typically for JavaScript use., it seemed there was a new potential attack vector here. It would be possible to embed a number of HTML attributes that are passed through Yahoo’s HTML filter and treated specially.

He then realized that it is possible some attributes as an attack vector.

“What caught my eye were the data-* HTML attributes. First, I realized my last year’s effort to enumerate HTML attributes allowed by Yahoo’s filter didn’t catch all of them. Second, since data-* HTML attributes are used to store application-specific data typically for JavaScript use, it seemed there was a new potential attack vector here. It would be possible to embed a number of HTML attributes that are passed through Yahoo’s HTML filter and treated specially.”

As a proof of concept Pynnönen supplied Yahoo Security with an email that, when viewed, would use AJAX to read the user’s inbox contents and send it to the attacker’s server.

Pynnönen privately disclosed the flaw to Yahoo under its bug bounty program that operated by HackerOne. He was awarded a $10,000 bounty.

This isn’t the first time that the expert reported a flaw to Yahoo, he discovered a similar vulnerability in the web version of the Yahoo! Mail service earlier this year, when he was awarded a $10,000 bounty too.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Yahoo email Service, hacking)



you might also like

leave a comment