Security experts definitely shiver every time a multinational company is found vulnerable to attacks. Such news stories are never to be underestimated – disclosed vulnerabilities usually leave millions of users prone to exploitation.
Let’s take a glimpse at Yahoo! and the XSS (cross-site scripting) vulnerability that could have enabled bad actors to compromise users’ email accounts by just sending a malicious email. Let’s repeat the last part – to exploit the vulnerability, the only action on behalf of the user is just opening and viewing their email. Nothing more.
Who Discovered the XSS Vulnerability in Yahoo?
A Finnish researcher, Jouko Pynnönen, has discovered and reported the scary bug. This is what the researcher has said in his original post, titled Yahoo Mail Stored XSS:
A stored XSS vulnerability in Yahoo Mail was patched earlier this month. The flaw allowed malicious JavaScript code to be embedded in a specially formatted email message. The code would be automatically evaluated when the message was viewed. The JavaScript could be used to e.g. compromise the account, change its settings, and forward or send email without the user’s consent.
All Versions of Yahoo Affected, Mobile App Aside
Furthermore, the vulnerability in question has affected all versions of Yahoo mail service, the mobile app excluded. One reason that should agitate users is that Yahoo is the second largest email service in the world. Almost 300 million email accounts were registered as of February 2014.
Luckily, Yahoo says that the bug hasn’t been exploited and was fixed on January 6 before anything bad happened.
Jouko Pynnönen has also made a video that illustrates the potential exploit.
Unfortunately, this is not the first XSS bug found in Yahoo, and probably it won’t be the last one. Fortunately, Yahoo, among others, has a bug bounty program that encourages independent researchers to report bugs they discover. For this particular vulnerability report, the Finnish researcher was rewarded $10,000.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: