XSS vulnerability found on mobile site of Yahoo! Mail

XSS vuln found on mobile site of Yahoo! Mail
XSS vuln found on mobile site of Yahoo! Mail

An easy-to-exploit cross-site scripting (XSS) vulnerability was located in Yahoo Mail's mobile site by security researcher, Ibrahim Raafat.

All an attacker needed to do was compose an email that contains an XSS payload and send it to their target. The payload was completed once the victim opened their Yahoo Mail from the mobile site. The malicious code could've been executed even without the victim opening the attacker's email—simply opening the inbox from the mobile site was enough to do the trick.

“An attacker can use this [vulnerability] to execute JavaScript on the victim's browser. He can steal non-protected cookies, he can redirect the victim to malicious domains, or direct them to malicious files to download, or even phishing pages that ask them to enter their Yahoo credentials,” Raafat said.

Raafat reported that the flaw did not affect Yahoo Mail mobile applications. Yahoo! was advised of the vulnerability on 11 November via HackerOne. The flaw was patched on 21 November. 

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS