A flaw in the Yahoo Email service allowed hackers to access target’s emails

KNOWLEDGE BELONGS TO THE WORLD
Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this

The Finnish security expert Jouko Pynnönen discovered a vulnerability in the Yahoo email service that allowed hackers to read anyone messages.

A vulnerability in the Yahoo email service allowed hackers to read anyone messages. The giant IT has recently patched the flaw that was discovered by Jouko Pynnönen, a Finnish Security researcher from security firm Klikki Oy.

Pynnönen discovered a DOM based persistent Cross-Site Scripting in Yahoo mail, an attacker could have exploited it to send emails embedded with malicious code.

“A security vulnerability in Yahoo Mail was fixed last week. The flaw allowed an attacker to read a victim’s email or create a virus infecting Yahoo Mail accounts, among other things.” states a blog post published by the Klikki Oy company.

“The attack required the victim to view an email sent by the attacker. No further interaction (such as clicking on a link or opening an attachment) was required.”

The blog post details how to exploit the flaw in Yahoo email, a malicious attacker could have sent the victim’s inbox to an external site, and created a malicious code is sent as an attachment to all outgoing emails. The dirty job could be done by a malicious script that is secretly added to message signatures, this means that the malicious code is embedded in the message’s body.

Yahoo email

Once the victim will receive the emails, the code will be executed while he opens the message. The malicious script will covertly submit victim’s inbox content to an external website controlled by the attacker.

The experts explained that the Yahoo Mail failed to properly filter malicious code embedded in the HTML emails.

“However in the email composing view I noticed various attachment options to which I didn’t give much attention last year. I composed an email containing different kinds of attachments and sent it to an external mailbox. This way I could inspect the “raw” HTML this kind of email contains.” states the post.

“It would be possible to embed a number of HTML attributes that are passed through Yahoo’s HTML filter and treated specially,” 

Composing different email messages with different attachments, the researchers analyzed the HTML code generated by the Yahoo Email service.

He noticed that not all the HTML attributes are properly validated, he also discovered that some of them could be used to store application-specific data typically for JavaScript use., it seemed there was a new potential attack vector here. It would be possible to embed a number of HTML attributes that are passed through Yahoo’s HTML filter and treated specially.

He then realized that it is possible some attributes as an attack vector.

“What caught my eye were the data-* HTML attributes. First, I realized my last year’s effort to enumerate HTML attributes allowed by Yahoo’s filter didn’t catch all of them. Second, since data-* HTML attributes are used to store application-specific data typically for JavaScript use, it seemed there was a new potential attack vector here. It would be possible to embed a number of HTML attributes that are passed through Yahoo’s HTML filter and treated specially.”

As a proof of concept Pynnönen supplied Yahoo Security with an email that, when viewed, would use AJAX to read the user’s inbox contents and send it to the attacker’s server.

Pynnönen privately disclosed the flaw to Yahoo under its bug bounty program that operatedby HackerOne. He was awarded a $10,000 bounty.

Source:http://securityaffairs.co/wordpress/

KNOWLEDGE BELONGS TO THE WORLD
Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this