Yahoo patches critical XSS vulnerability that allowed hackers to read any email

Yahoo, which was in the limelight for revealing a massive hack on its users earlier this year, has fixed a highly critical cross-site scripting (XSS) security flaw in its email system that would have allowed attackers to access any email.

The flaw was discovered and reported by Finland-based security researcher Jouko Pynnonen who earned $10,000 for the feat from Yahoos bug bounty program. The flaw allowed an attacker to read a victims email or create a virus infecting Yahoo Mail accounts among other things.

Unlike other email phishing scams and ransomware attacks, there was no need for the hacker to send a virus or trick the victim into clicking a specific link. Attackers would just send the email to victims, and be able to access their account if it was opened.

Last year, Pynnonen had reported another serious bug to Yahoo that allowed an attacker to take over any users account by using the same XSS vulnerability. According to him the impact of this bug was the same as last years XSS issue.

The bug in this case resided in the emails HTML filtering code. When someone sends an email with different kinds of attachments, Yahoo uses a filtering process to inspect the "raw" HTML of that email, which normally keeps malicious code at bay.

An investigation however, showed that attackers could easily bypass that filtration process by sending a YouTube link in the email that allows the hacker to execute JavaScript code and read users emails.

The report of the critical flaw comes just months after the tech giant admitted that a massive data breach in 2014 gave access to the personal information of more than 500 million user accounts.

The attack gave hackers access to names, email addresses, telephone numbers, encrypted and unencrypted security questions and answers, dates of birth, and encrypted passwords of users. The company later blamed the attack on state-sponsored parties but did not name any country.