The vulnerability could have been used to extract messages from users and to inject malicious code their outgoing messages
Network security and ethical hacking specialists from the International Institute of Cyber Security reported that Yahoo has corrected a critical cross-site scripting vulnerability (XSS) in the Yahoo Mail service. The vulnerability could have been exploited by malicious users to extract messages from the victims, even to inject malicious code into their outgoing messages.
The vulnerability could have been exploited by groups of hackers to extract the victims’ emails and forward them to external websites under their control; they might even have managed to make changes to the configuration of compromised Yahoo Mail accounts to perform other unauthorized activities.
Network security specialists believe that this vulnerability is related to inadequate filtering of malicious HTML code on email platforms. This XSS vulnerability was discovered hosted in Yahoo Mail at the end of last year, although Yahoo could fix it until January 2019. The investigator who reported the vulnerability to the company was rewarded with $10k USD.
Finland born, Jouko Pynnönen, the network security expert who reported the vulnerability, mentioned that it is not possible to disclose technical details about the vulnerability because Oath, Yahoo proprietary company, has asked for it, but he did mention that it’s related to Yahoo Mail HTML-code filtering.
In addition, in 2016 the expert discovered a new vulnerability XSS in the same email service, which could have exposed the personal messages of any user, which also received a reward a $10k USD bounty from Yahoo.