Critical Yahoo Mail Security Flaw Allowed Hackers to Access Any Account

[Exterminator]

Yahoo Mail can hardly be considered a secure email service after the parent company experienced a massive breach exposing 500 million accounts in 2014 but decided to keep it secret, and yet, every new vulnerability is still worrying for its users.

Security researcher Jouko Pynnonen discovered a cross-site scripting (XSS) security flaw in Yahoo Mail that would have essentially allowed an attacker to access any account and read emails freely. Yahoo has already patched this flaw last week and offered the researcher a $10,000 reward according to the company’s bounty program.

No user interaction needed
Specifically, Pynnonen explained that it was possible for an attacker to infiltrate into an account by simply bypassing Yahoo’s HTML filtering using links hiding malicious JavaScript code. What’s worse is that users didn’t even have to click on links or open files and it was enough for them to simply open an email sent by the hacker in order to become vulnerable.

“The flaw allowed an attacker to read a victim's email or create a virus infecting Yahoo Mail accounts, among other things. The attack required the victim to view an email sent by the attacker. No further interaction (such as clicking on a link or opening an attachment) was required,” the researcher notes.

Yahoo was informed about the hack on November 12 and the company delivered a fix on November 29, so all users are supposed to be safe now.

For those who forgot it, Yahoo Mail was hacked in 2014 as part of a breach that the company kept secret until earlier this year. Approximately 500 million accounts were exposed at that time, with Yahoo admitting that hackers accessed user information such as names, phone numbers, passwords, and email addresses.

What’s also worrying is that Pynnonen discovered a similar XSS vulnerability last year that also allowed attackers to breach accounts and read any email, so it goes without saying that Yahoo should spend more time searching for bugs like these in order to boost account security.

 

[Janl1992l]

Yahoo as a firm is shamefull for me since along time now. whoever use yahoo or i hear that someone still use yahoo i always say switch as fast as u can to another, trustworthly vendor for e-mails. Yahoo is a nogo for a long time now.

 

[Wave]

Well hopefully for the sake of a hacker, they won't use the critical security flaw to access my old Yahoo accounts, because I think they'll end up 6ft into their grave due to death of boredom from reading the e-mails in the Inbox and checking the spam.

 

[Janl1992l]

checking the spam.

That remind me of my first yahoo e-mail( first e-mail in my life) i got thousands of thousands of spam mails because i realy do not care abit about where i put my e-mail to. im glad i learn much about the internet, security and so on. all this would made me crazy now.

 

[DardiM]

I never connect directly to my accounts (yahoo, google, FAI, etc). I only retrieve by app the mails, filtering them.
=> It certainly helped a lot : I never had my yahoo account hacked (created before 2005)