The flaw is rated as highly critical, is located in the email’s HTML filtering, and only requires the victim to view an email sent by the attacker and no further action.
The flaw is rated as highly critical, is located in the email’s HTML filtering, and only requires the victim to view an email sent by the attacker and no further action.

Klikki Oy security researcher Jouko Pynnonen nabbed a $10,000 Yahoo bug bounty for spotting a cross-site-scripting (XSS) vulnerability in the platform which allowed an attacker to read any email conversation a virus infecting Yahoo Mail accounts, among other things.

The flaw is rated as highly critical, is located in the email's HTML filtering, and only requires the victim to view an email sent by the attacker and no further action, according to a Dec. 8 blog post.

Last year, Pynnonen received a separate Yahoo bug bounty for spotting a separate XSS vulnerability which allowed malicious JavaScript code to be embedded in a specially formatted email message. He said that some of his research stemming from the initial bug help lead to the discovery of the most recent flaw and that the the data-* HTML attributes caught his eye.

“First, I realized my last year's effort to enumerate HTML attributes allowed by Yahoo's filter didn't catch all of them,” Pynnonen said in the blog post. “Second, since data-* HTML attributes are used to store application-specific data typically for JavaScript use, it seemed there was a new potential attack vector here.”

He said that because of this, it would be possible to embed a number of HTML attributes that are passed through Yahoo's HTML filter which is mean to help keep out malicious code, however, Pynnonen said he was able to override this feature by sending a YouTube link in the email which allowed him to execute the malicious JavaScript in the users email.

“The flaw was reported to Yahoo Security via HackerOne on November 12 and fixed on November 29, 2016,” he said. “Yahoo awarded a bounty of $10,000 for the finding.”

The vulnerability was reported to Yahoo on November 12 and was patched by Nov. 29.