Security experts definitely shiver every time a multinational company is found vulnerable to attacks. Such news stories are never to be underestimated – disclosed vulnerabilities usually leave millions of users prone to exploitation.
Let’s take a glimpse at Yahoo! and the XSS (cross-site scripting) vulnerability that could have enabled bad actors to compromise users’ email accounts by just sending a malicious email. Let’s repeat the last part – to exploit the vulnerability, the only action on behalf of the user is just opening and viewing their email. Nothing more.
Who Discovered the XSS Vulnerability in Yahoo?
A Finnish researcher, Jouko Pynnönen, has discovered and reported the scary bug. This is what the researcher has said in his original post, titled Yahoo Mail Stored XSS:
All Versions of Yahoo Affected, Mobile App Aside
Furthermore, the vulnerability in question has affected all versions of Yahoo mail service, the mobile app excluded. One reason that should agitate users is that Yahoo is the second largest email service in the world. Almost 300 million email accounts were registered as of February 2014.
Luckily, Yahoo says that the bug hasn’t been exploited and was fixed on January 6 before anything bad happened.
Jouko Pynnönen has also made a video that illustrates the potential exploit.
Unfortunately, this is not the first XSS bug found in Yahoo, and probably it won’t be the last one. Fortunately, Yahoo, among others, has a bug bounty program that encourages independent researchers to report bugs they discover. For this particular vulnerability report, the Finnish researcher was rewarded $10,000.