Thursday 8 December 2016

Critical Yahoo Flaw Allowed Hackers to Read User Email's

YAHOO! has recently fixed its severe vulnerability in its email system which were allowing Hackers to read Emails of all users.

It was  a DOM Based persistent XSS ( Cross Side Scripting ) attack which was allowing attacker to read all victim emails and as well as allows attacker to send emails Embedded with malicious Scripts.

Researcher Juko Pynnonen has exposed this Flaw through HackerOne Bounty Programme.



He also explained that this is a flaw similar to last's years Email Bug, which also lets attacker to compromise a user's account.  Yahoo Filters HTML messages and ensures that malicious code won't infect or come through user's browser, but the researcher found the flaw that its not catching all the attributes.

He also demonstrated how victim is redirected to external site and created a virus and attached itself to all outgoing emails by secretly adding a malicious script to message signatures and as soon as the victim's open that malicious email and its hidden script it immediately submit victim's inbox content to an external website controlled by the attacker.

"Pynnonen says he found the vulnerability by force-feeding all Known HTML tags and attributes in order to filter Yahoo uses to weed out Malicious HTML, but certain malicious HTML code manage ed to pass through "


"Juko Pynnonen also awarded $10,000 for privately disclosing it through HackerOne Bounty Programme.