Critical Yahoo Mail Security Flaw Allowed Hackers to Access Any Account

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Yahoo Mail can hardly be considered a secure email service after the parent company experienced a massive breach exposing 500 million accounts in 2014 but decided to keep it secret, and yet, every new vulnerability is still worrying for its users.

Security researcher Jouko Pynnonen discovered a cross-site scripting (XSS) security flaw in Yahoo Mail that would have essentially allowed an attacker to access any account and read emails freely. Yahoo has already patched this flaw last week and offered the researcher a $10,000 reward according to the company’s bounty program.

No user interaction needed
Specifically, Pynnonen explained that it was possible for an attacker to infiltrate into an account by simply bypassing Yahoo’s HTML filtering using links hiding malicious JavaScript code. What’s worse is that users didn’t even have to click on links or open files and it was enough for them to simply open an email sent by the hacker in order to become vulnerable.

“The flaw allowed an attacker to read a victim's email or create a virus infecting Yahoo Mail accounts, among other things. The attack required the victim to view an email sent by the attacker. No further interaction (such as clicking on a link or opening an attachment) was required,” the researcher notes.

Yahoo was informed about the hack on November 12 and the company delivered a fix on November 29, so all users are supposed to be safe now.

For those who forgot it, Yahoo Mail was hacked in 2014 as part of a breach that the company kept secret until earlier this year. Approximately 500 million accounts were exposed at that time, with Yahoo admitting that hackers accessed user information such as names, phone numbers, passwords, and email addresses.

What’s also worrying is that Pynnonen discovered a similar XSS vulnerability last year that also allowed attackers to breach accounts and read any email, so it goes without saying that Yahoo should spend more time searching for bugs like these in order to boost account security.
 

Janl1992l

Level 14
Verified
Well-known
Feb 14, 2016
648
Yahoo as a firm is shamefull for me since along time now. whoever use yahoo or i hear that someone still use yahoo i always say switch as fast as u can to another, trustworthly vendor for e-mails. Yahoo is a nogo for a long time now.
 
  • Like
Reactions: DardiM
W

Wave

Well hopefully for the sake of a hacker, they won't use the critical security flaw to access my old Yahoo accounts, because I think they'll end up 6ft into their grave due to death of boredom from reading the e-mails in the Inbox and checking the spam. :D
 

Janl1992l

Level 14
Verified
Well-known
Feb 14, 2016
648
checking the spam.
That remind me of my first yahoo e-mail( first e-mail in my life) i got thousands of thousands of spam mails because i realy do not care abit about where i put my e-mail to. im glad i learn much about the internet, security and so on. all this would made me crazy now.
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
I never connect directly to my accounts (yahoo, google, FAI, etc). I only retrieve by app the mails, filtering them.
=> It certainly helped a lot : I never had my yahoo account hacked (created before 2005)
 
Last edited:
  • Like
Reactions: Wave

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top