Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Yahoo Just Fixed Another Scary XSS Bug

yahoo-XSS-STFSecurity experts definitely shiver every time a multinational company is found vulnerable to attacks. Such news stories are never to be underestimated – disclosed vulnerabilities usually leave millions of users prone to exploitation.

Let’s take a glimpse at Yahoo! and the XSS (cross-site scripting) vulnerability that could have enabled bad actors to compromise users’ email accounts by just sending a malicious email. Let’s repeat the last part – to exploit the vulnerability, the only action on behalf of the user is just opening and viewing their email. Nothing more.

Who Discovered the XSS Vulnerability in Yahoo?

A Finnish researcher, Jouko Pynnönen, has discovered and reported the scary bug. This is what the researcher has said in his original post, titled Yahoo Mail Stored XSS:

A stored XSS vulnerability in Yahoo Mail was patched earlier this month. The flaw allowed malicious JavaScript code to be embedded in a specially formatted email message. The code would be automatically evaluated when the message was viewed. The JavaScript could be used to e.g. compromise the account, change its settings, and forward or send email without the user’s consent.

All Versions of Yahoo Affected, Mobile App Aside

Furthermore, the vulnerability in question has affected all versions of Yahoo mail service, the mobile app excluded. One reason that should agitate users is that Yahoo is the second largest email service in the world. Almost 300 million email accounts were registered as of February 2014.

Luckily, Yahoo says that the bug hasn’t been exploited and was fixed on January 6 before anything bad happened.

Jouko Pynnönen has also made a video that illustrates the potential exploit.

Unfortunately, this is not the first XSS bug found in Yahoo, and probably it won’t be the last one. Fortunately, Yahoo, among others, has a bug bounty program that encourages independent researchers to report bugs they discover. For this particular vulnerability report, the Finnish researcher was rewarded $10,000.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.