A stored XSS vuln in Yahoo! Mail has netted Finnish researcher Jouko Pynnönen of Klikki Oy a US$10,000 bug bounty.

Pynnönen turned up the bug with a bit of old-fashioned brute force: he fed the system an HTML e-mail containing “all known HTML tags and attributes” to see what survived the Purple Palace's filters.

What's supposed to happen is that Yahoo! Mail should filter malicious HTML code, and this mostly works. However, Pynnönen found, “certain malformed HTML code could pass the filter”. An attacker could embed malicious JavaScript in a correctly-formatted message, and get past the filters.

If an attacker puts the wrong value into a Boolean field, the filter strips it out, but leaving a mistake behind. In the example below, the field CHECKED is supposed to be Boolean:

input type="checkbox" checked="hello" name="check box"

After filtering it looked like this:

input type="checkbox" checked="name="check"

(Note, so The Register's CMS displays this correctly, the < and > symbols denoting the start and end of the tags have been left out.)

Browsers mishandle this, he writes, by treating NAME=”check as the value of the variable CHECKED, and leaving box” as something of an orphan – and that's where the exploit comes in, because in place of box” Pynnönen could “insert unrestricted HTML” in the Boolean tags.

Yahoo! fixed the bug after he reported it in December, Oy concludes. ®

Bootnote: This monolingual Australian writer originally mistook the name of a company, Klikki Oy, for the individual Jouko Pynnönen. My apologies, and thanks to Pynnönen for bring it to my attention. ®