Yahoo patches critical XSS vulnerability that would allow hackers to read any email

Yahoo, which was in the limelight for revealing a massive hack on its users earlier this year, has fixed a highly critical cross-site scripting (XSS) security flaw in its email system that would have allowed attackers to access any email.

The flaw was discovered and reported by Finland-based security researcher Jouko Pynnonen who earned $10,000 for the feat from Yahoo's bug bounty program. The flaw allowed an attacker to read a victim's email or create a virus infecting Yahoo Mail accounts among other things.

Unlike other email phishing scams and ransomware attacks, there is no need for the hacker to send a virus or trick the victim into clicking a specific link. Attackers would just send a mail to victims to access their emails.

Last year, Pynnonen had reported a serious bug for Yahoo that allowed an attacker to take over any user's account by using the same XSS vulnerability. According to him the impact of this bug was the same as last year's XSS issue.

The bug in this case resided in the email's HTML filtering. When someone sends an email with different kinds of attachments to inspect the "raw" HTML of that email for security reasons, Yahoo uses the filtering process for HTML messages to keep malicious codes at bay.

An investigation, however, showed that attackers could very well bypass the filtration process by sending a YouTube link in the email that allows the hacker to execute JavaScript code and read user's emails.

The report of the critical flaw comes just months after the tech giant admitted that massive data breach in 2014 gave access to information of more than 500 million user accounts. The attack, which is the largest in the history of the Internet, gave hackers access to names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords of users. The company later blamed the attack on state-sponsored parties but did not name any country.