Yahoo Mail has already made it into the news many times regarding cybersecurity issues. Once again, the service provider comes in the limelight as a researcher reported a Yahoo Mail vulnerability. Allegedly, he discovered a cross-site scripting vulnerability that could allow an attacker snoop on victim’s emails.
Yahoo Mail Vulnerability Compromised Victim’s Inbox
According to a recent report, a researcher has spotted a critical vulnerability in Yahoo Mail. The flaw could allow an attacker to reach the victim’s emails and take over the account.
Reportedly, the researcher Jouko Pynnönen of Klikki Oy discovered a cross-site scripting (XSS) vulnerability affecting Yahoo Mail. This discovery marks the third event for Pynnönen to report an XSS flaw with Yahoo.
Precisely, he hinted about this Yahoo Mail vulnerability in his tweet two weeks ago. Though he didn’t name the affected service at that time.
Got a nice #bugbounty this week from a stored XSS (+CSP bypass), my 3rd time on that asset. I've prepared a write-up again but not sure what kind of disclosure they're OK with – no response yet. pic.twitter.com/l7CGUHkn19
— Klikki Oy (@klikkioy) February 9, 2019
Nonetheless, people were quick to guess that the researcher has referred to Yahoo Mail. Recently, he confirmed it in another tweet.
Ok, the #bugbounty I mentioned last week was a stored XSS in Yahoo Mail, same impact as the previous (https://t.co/6wnNKBS6BY). I got green light for disclosing the asset etc. but can't publish the write-up for the time being. Maybe later. Thanks again @yahoosecurity! pic.twitter.com/DMufcwkbmT
— Klikki Oy (@klikkioy) February 15, 2019
However, Pynnönen hasn’t shared any technical details of the vulnerability yet. As he told SecurityWeek, Oath has asked him not to share the details publicly. Yet, he hinted about the nature of the vulnerability by comparing it with his previous findings. Allegedly, the exploit of this stored XSS flaw involved basic HTML filtering. Upon successful exploit, the potential attacker could gain access to the target email user’s inbox.
Researcher Earned Another Big Bounty
According to SecurityWeek, Pynnönen discovered the flaw in December 2018, which he then reported to Yahoo. In January, Yahoo patched the flaw and also acknowledged Pynnönen’s efforts with a hefty bug bounty of $10,000.
It isn’t the first time for Pynnönen to spot a Yahoo Mail bug. In fact, he has already made similar findings in the past as well. In 2016, Pynnönen won a $10,000 bounty from Yahoo on reporting an XSS flaw. While he already reported a similar vulnerability to Yahoo in 2014 as well. So, the present Yahoo XSS vulnerability–Jouko Pynnönen interaction marks the third one.