Jouko Pynnönen, a Finnish Security researcher from security firm Klikki Oy, reported a DOM based persistent XSS (Cross-Site Scripting) in Yahoo mail, which if exploited, allows an attacker to send emails embedded with malicious code.
Since the malicious code is in the message’s body, the code will get executed as soon as the victim opens the boobytrapped email and its hidden payload script will covertly submit victim’s inbox content to an external website controlled by the attacker.
This issue is because Yahoo Mail failed to properly filter potentially malicious code in HTML emails.
“It would be possible to embed a number of HTML attributes that are passed through Yahoo’s HTML filter and treated specially,” Pynnönen says in his blog post.
“As a proof of concept I supplied Yahoo Security with an email that, when viewed, would use AJAX to read the user’s inbox contents and send it to the attacker’s server,” Pynnönen says.
Pynnönen privately disclosed the vulnerability to Yahoo through its HackerOne bug bounty program and was awarded a $10,000 bounty.
Pynnönen reported a similar vulnerability in the web version of the Yahoo! Mail service earlier this year for which he earned $10,000. He also reported a stored XSS vulnerability in Flickr to Yahoo in December 2015 for which he earned $500.