Security researcher Klikki Oy has received a $10,000 bug bounty for discovering a
security flaw in Yahoo Mail. The XSS vulnerability discovered could have allowed a
potential attacker to forward the contents of the victim’s inbox to an external
website and compromise the account itself. Yahoo learned about the threat last
month, implemented a fix and rewarded the researcher through a bug bounty
program.
According to the original post, the vulnerability exploited the way Yahoo Mail
processes HTML-formatted email messages: “As most email solutions these days,
Yahoo Mail displays HTML-formatted email messages after filtering any potentially malicious code. The problem lies in this process. Certain malformed HTML code could pass the filter.” In this case, the malformed HTML code could be used to inject an email message with malicious JavaScript code. In the proof of concept video, this allowed the researcher to send an email with such Javascript code which forwarded the contents of the victim’s inbox to a specified website and to add additional code to the victim’s email signature, attaching it to all outgoing emails without the user’s knowledge.
Klikki Oy was awarded the $10,000 bug bounty through the HackerOne bug
bounty program, a vulnerability management platform that works with the security
research community. The platform was created by security professionals from
Facebook, Microsoft, and Google, and claims to have facilitated the discovery
and amendment of almost 17,000 bugs and to have paid out $5.83 million in
such bounties. According to Litmus Labs, Yahoo Mail is the seventh most popular
email client in the world. The vulnerability only affected web-based versions of
Yahoo Mail, not its mobile application.
Pynnonen said he provided Yahoo with two proof-of-concept exploits.