PINDROP BLOG

Yahoo Patches Critical XSS Flaw in Mail

There was a serious security flaw in the Yahoo Mail that enabled an attacker to attach malicious code to a victim’s outgoing messages or read any email in the victim’s inbox just by having the victim open a carefully crafted email.

Yahoo patched the vulnerability last week, closing a hole that the researcher who discovered it said was dead simple to exploit. The bug was a stored cross-site scripting vulnerability and was nearly identical to one the researcher, Jouko Pynnönen discovered earlier this year. The issue he found involves the way that Yahoo Mail handled some specific HTML attributes. Pynnönen found that by inserting some HTML with malicious attributes into an email, he could get access to the target’s inbox once the victim opened the message.

Pynnönen said he came across the vulnerability after looking at the various HTML attributes and the way Yahoo Mail processed them.

“To get a more complete picture of the available data-* attributes I went to the Sources tab in Chrome’s Developer Tools and looked for references to data-url in the JavaScript files that are loaded in the mail reading view. One thing I found there was that also YouTube links are “enhanced” by Yahoo Mail. Entering a YouTube video link in the email composing view generates similar “link enhancer card” markup including a set of data-* attributes,” Pynnönen said in an explanation of the bug.

“When a message containing this kind of markup is opened in Yahoo Mail, it will add the video embedded in an <IFRAME> tag. A share button is also displayed next to the video. These features are built using the said data-* attributes by Yahoo Mail’s JavaScript code.

“I tried creating an email with ‘abusive’ data-* attributes and bingo!, found a pathological case pretty quickly. Inserting a quote symbol in the data-url value caused broken HTML in the share button. As long as the URL pointed to a white-listed website such as YouTube, it was not further sanity checked or encoded. The value was used as is for setting a div innerHTMLto create the button.”

Pynnönen reported the vulnerability to Yahoo through the HackerOne bug bounty platform and the company patched the bug last week. This is the second stored XSS that Pynnönen has discovered in Yahoo Mail. In January he disclosed a similar flaw, which Yahoo fixed.

Webinar: Call Center Fraud Vectors & Fraudsters Defeated