Yahoo moved to patch the flaw before the bug could cause chaos
Security researchers have uncovered a flaw in Yahoo Mail that would have enabled hackers to snoop on user’s emails or use the accounts to spread viruses to other people.
Yahoo’s HackerOne bug bounty program was responsible for surfacing flaw, which was spotted by Finnish white hat Jouko Pynnonen, who was awarded $10,000 (£7,947) for his efforts.
The email company moved quickly to squash the bug before it could cause havoc through the use XXS (cross-site scripting) attacks.
Yahoo Mail bug
“As long as the URL pointed to a white-listed website such as YouTube, it was not further sanity checked or encoded. The value was used as is for setting a div innerHTML to create the button,” explained Pynnonen.
Using this technique, more malicious code could be injected into the HTML and cause malware and viruses to be spread without the Yahoo Mail filter blocking them.
Luckily for Yahoo, this bug was spotted before it has had time to be rigorously exploited, as one major hack attack and data leak this year has already caused major problems for Yahoo.
Are you a security expert? Try our quiz!