Yahoo Mail Reward a Researcher with $10,000!

A Finnish Security Researcher “Jouko Pynnonen” discovered a security flaw in Yahoo Mail. It was a stored XSS (Cross-Site-Scripting) vulnerability and Yahoo has patched it. Yahoo rewards Jouko Pynnonen by giving him $10,000 for finding this critical flaw.

Jouko said that it is a critical flaw because by using it, an attacker can embed malicious javascript with an email and can send to anyone. When the targetted user will download that email, code will run automatically and attacker can control victim's email account. Attacker can redirect victim's emails to the server of his choice. Jouko also said that attacker can do many things with that malicious javascript. The malicious code will automatically run into victim's browser, when he will logged into his Yahoo mail account. Attacker can use this malicious code in many forms. For example attacker can upload that malicious javascript as signatures of victim's account, due to which malicious code will go with each outgoing email.

Jouko states that he found this bug because It was possible to byepass Yahoo mail's filters by uploading some HTML malcodes. He inserted some un encrypted HTML codes in the form of tags, which created a boolean attribute. Jouko used this boolean attribute to embed malicious code into email.

Under Yahoo's HackerOne bug bounty program, Jouko reported this vulnerability on 26th December of last year. On 6th January yahoo fix this vulnerability and gave $10,000 to Jouko for his this discovery.