Klikki Oy security researcher Jouko Pynnonen nabbed a $10,000 Yahoo bug bounty for spotting a cross-site-scripting (XSS) vulnerability in the platform which allowed an attacker to read any email conversation a virus infecting Yahoo Mail accounts, among other things.
The flaw is rated as highly critical, is located in the email’s HTML filtering, and only requires the victim to view an email sent by the attacker and no further action, according to a Dec. 8 blog post.
“The flaw was reported to Yahoo Security via HackerOne on November 12 and fixed on November 29, 2016,” he said. “Yahoo awarded a bounty of $10,000 for the finding.”
The vulnerability was reported to Yahoo on November 12 and was patched by Nov. 29.