Application security, Vulnerability Management

XSS vulnerability found on mobile site of Yahoo! Mail

An easy-to-exploit cross-site scripting (XSS) vulnerability was located in Yahoo Mail's mobile site by security researcher, Ibrahim Raafat.

All an attacker needed to do was compose an email that contains an XSS payload and send it to their target. The payload was completed once the victim opened their Yahoo Mail from the mobile site. The malicious code could've been executed even without the victim opening the attacker's email—simply opening the inbox from the mobile site was enough to do the trick.

“An attacker can use this [vulnerability] to execute JavaScript on the victim's browser. He can steal non-protected cookies, he can redirect the victim to malicious domains, or direct them to malicious files to download, or even phishing pages that ask them to enter their Yahoo credentials,” Raafat said.

Raafat reported that the flaw did not affect Yahoo Mail mobile applications. Yahoo! was advised of the vulnerability on 11 November via HackerOne. The flaw was patched on 21 November. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.