A $10k USD bounty for the hacker who reported critical vulnerability in Yahoo Mail

Yahoo Launches Gryffin, a Web Security Scanning Platform

The vulnerability could have been used to extract messages from users and to inject malicious code their outgoing messages

Network security and ethical hacking specialists from the International Institute of Cyber Security reported that Yahoo has corrected a critical cross-site scripting vulnerability (XSS) in the Yahoo Mail service. The vulnerability could have been exploited by malicious users to extract messages from the victims, even to inject malicious code into their outgoing messages.

The vulnerability could have been exploited by groups of hackers to extract the victims’ emails and forward them to external websites under their control; they might even have managed to make changes to the configuration of compromised Yahoo Mail accounts to perform other unauthorized activities.

Network security specialists believe that this vulnerability is related to inadequate filtering of malicious HTML code on email platforms. This XSS vulnerability was discovered hosted in Yahoo Mail at the end of last year, although Yahoo could fix it until January 2019. The investigator who reported the vulnerability to the company was rewarded with $10k USD.

Finland born, Jouko Pynnönen, the network security expert who reported the vulnerability, mentioned that it is not possible to disclose technical details about the vulnerability because Oath, Yahoo proprietary company, has asked for it, but he did mention that it’s related to Yahoo Mail HTML-code filtering.

Pynnönen has discovered other similar flaws in the past. For example, in 2015 reported XSS vulnerability in Yahoo Mail which was also granted a reward. That specific flaw could have allowed a hacker to send emails with hidden JavaScript code, which would run once the user interacted with the message.

In addition, in 2016 the expert discovered a new vulnerability XSS in the same email service, which could have exposed the personal messages of any user, which also received a reward a $10k USD bounty from Yahoo.