Yahoo Patches XSS Mail Bug

NicoleMotta - January 21, 2016 - 12:26 PM

Yahoo Patches XSS Mail Bug

Yahoo patched a critical email vulnerability and the security researcher who reported it earned $10,000.

On Tuesday, Finnish security researcher Jouko Pynnönen of Klikki Oy revealed the details of the Yahoo Mail bug in a blog post. "A stored XSS vulnerability in Yahoo Mail was patched earlier this month. The flaw allowed malicious JavaScript code to be embedded in a specially formatted email message," explained Pynnönen. "We provided Yahoo with a proof of concept email that would forward the victim user's inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits "in the wild"." The bug, which was reported to Yahoo in December, is said to have affected all versions of Yahoo’s webmail, but did not affect the mobile app. The bug was fixed on January 6, according to Pynnönen.

The bug was reported via Yahoo’s crowdsourced bug bounty program, HackerOne. Under this program, researchers are rewarded based on the reported vulnerability’s severity with monetary rewards of up to $15,000. "At Yahoo's discretion, providing more complete research, proof-of-concept code and detailed write-ups may incur a bonus percentage on the bounty awarded. Conversely, Yahoo may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible," explained Yahoo. "In some cases, rewards may be consolidated into a single payout." For this bug, Pynnönen was awarded a bounty of $10,000 for finding and reporting the flaw to Yahoo.

Photo: © iStock.
Add comment


Respond to Anonymous User