Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Fixes Flaw Allowing an Attacker To Read Any User's Emails (zdnet.com)

Posted by msmash on from the security-woes-and-fixes dept.

Yahoo says it has fixed a severe security vulnerability in its email service that allowed an attacker to read a victim's email inbox. From a report on ZDNet: The cross-site scripting (XSS) attack only required a victim to view an email in Yahoo Mail. The internet giant paid out $10,000 to security researcher Jouko Pynnonen for privately disclosing the flaw through the HackerOne bug bounty, In a write-up, Pynnonen said that the flaw was similar to last year's Yahoo Mail bug, which similarly let an attacker compromise a user's account. Yahoo filters HTML messages to ensure that malicious code won't make it through into the user's browser, but the researcher found that the filters didn't catch all of the malicious data attributes.

30 comments

  1. Yes by fustakrakich · · Score: 1

    Now only the government read read users emails

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:Yes by Anonymous Coward · · Score: 0

      Sarah Palin can breathe a sigh of relief!

    2. Re:Yes by Anonymous Coward · · Score: 0

      This. Yahoo! should! shut! the! fuck! up! and! close! shop!

    3. Re:Yes by Anonymous Coward · · Score: 0

      Obviously its the Russians trying to elect Trump again.

    4. Re:Yes by Anonymous Coward · · Score: 0

      Is yahoo mail still using http for sending the data back?

  2. That is a great title by Anonymous Coward · · Score: 0

    for misleading readers

  3. And it a flaw on POP too? by Anonymous Coward · · Score: 0

    How does the attacker get the information if it is being popped and not being accessed by web?

    Oh, they don't? The older way BEFORE webmail is actually MORE SECURE?

    Then why the fuck does Yahoo think they can tell ME about using MY "insecure method" of getting email and I really should upgrade to their blahtity blatity blah?

    Keep going Yahoo. I've been a user of yours for well over a decade. And you're about one more hairbreak from not receiving another dime from me again. (At least $2,000 over the years for both webhost and pop mail access.)

    1. Re: And it a flaw on POP too? by Ilgaz · · Score: 1

      They still don't provide SSL IMAP even if you pay? I remember they declined to support even APOP back in the day.

      I am paying to Fastmail guys, they even try to make (open, documented) progress on IMAP protocol.

  4. blacklisting HTML by Anonymous Coward · · Score: 1

    never works, you need to sandbox it or whitelist or gtfo

  5. What??? by Anonymous Coward · · Score: 0

    Does that mean anyone can read the spam that I have sent to my junk yahoo account?

  6. Why in the World? by Anonymous Coward · · Score: 0

    Why in the world would anybody in their right mind continue to use Yahoo after everything that's come out about them this year? Changing your email is a pain in the ass but worth it in this case.

    1. Re: Why in the World? by Ilgaz · · Score: 1

      Just like cellular providers in some countries, free forward of email to other domains should be mandatory for commercial/adware (yes,adware) providers.

      There were the days even Hotmail was a nice, clean e-mail service. Nobody can blame anyone for sticking with decade+ old address. I know a very good, respected commercial shareware developer using his @aol.com email.

  7. Slap-in-the-face rewards and impact. by geekmux · · Score: 3, Insightful

    "The internet giant paid out $10,000...

    So being able to read your customers email is only worth $10,000 to you, Yahoo?

    Don't be surprised if you find the next hack against you was sold to the black market for half that amount, simply because you're too fucking cheap to offer up more than a financial slap in the face.

    One would think money talks would be a well-known and understood concept to a greedy corporation.

    1. Re: Slap-in-the-face rewards and impact. by Anonymous Coward · · Score: 0

      I think they weighted it by the number of people who actually use Yahoo mail...

    2. Re:Slap-in-the-face rewards and impact. by Anonymous Coward · · Score: 0

      Don't be surprised if you find the next hack against you was sold to the black market for half that amount, simply because you're too fucking cheap to offer up more than a financial slap in the face.

      One would think money talks would be a well-known and understood concept to a greedy corporation.

      Umm...if I'm going to only get half that amount on the black market, it is still worth it to disclose responsibly financially......now if the black market offered me twice that amount or more, than I absolutely agree the purple palace are cheap and greedy.

  8. a posible zero day by Anonymous Coward · · Score: 1

    fixed and reaveiled after the fact. nice and gg.

    1. Re:a posible zero day by TheReaperD · · Score: 2

      Thankfully, it's easier for a web service to fix issues like this because they don't have to try and figure out how to get millions of end users to actually update their software to fix problems.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
  9. The hacker will enjoy my emails by lmcgeoch · · Score: 2

    Well, the only yahoo mail, I have I use for my Flylady emails. The hacker will learn how to enjoy the holidays while getting all the holiday chores done without any stress or inconvenience to our families. :) Enjoy your hacker you!

  10. $10000 for critical bug discovery by Anonymous Coward · · Score: 0

    Here you go Mr. Hacker for finding a critical bug in one fo the few services keeping the company alive... 10000$. Enjoy it.

    Here you go CEO, here's a 50 million$ bonus for your focus on improving security on Yahoo.

    1. Re:$10000 for critical bug discovery by 110010001000 · · Score: 1

      +5 insightful.

  11. POP3/IMAP/SMTP by Anonymous Coward · · Score: 0

    These services still call these established e-mail access methods "less secure", and encourage you to turn them off rather frequently. Is this because then they can't show you ads on their web-mail site?

    (captcha: sucking)

  12. Two sides to that. For a week's work, not bad by raymorris · · Score: 1

    There are two sides to that. In a day I can run a suite of tools across a dozen such services. Those tools will find likely weak areas with little effort or time on my part. Over the next couple of days, I can explore the issues highlighted by the tools and quite possibly find an issue like this.

    At current bug-bounty levels, I could probably earn a bit more than I could make at a salaried position, while setting my own hours and exploring the things that interest me. So prices are reasonably fair. Another way of looking at that is that skilled people DO in fact participate in bug bounty programs, so they find it worthwhile.

    Yes, in theory committing crimes could be an easier way for people to make money, until they go to prison. A bank robber makes more per hour than a bank teller.

    1. Re:Two sides to that. For a week's work, not bad by Anonymous Coward · · Score: 0

      1. To believe what you say, you would have to actually do what you have claimed is in your own best interests to do yet have chosen not to.

      2. Selling exploits is very easy to get away with. Selling exploits to the government is legal and encouraged. Remember the single-use hack of an iphone that cost taxpayers a cool $1mil? Quite a bit nicer than 10k.

    2. Re:Two sides to that. For a week's work, not bad by geekmux · · Score: 1

      At current bug-bounty levels, I could probably earn a bit more than I could make at a salaried position, while setting my own hours and exploring the things that interest me. So prices are reasonably fair.

      Actually, no, they are not "fair". Case in point; A corporation selling security vulnerability analysis walks in the door. It might take them 5 minutes to configure their network scanning tool, and an hour to run it and produce the report, but you will certainly find that the level of effort does not incite them to charge any less for the report.

      When it comes to security analysis and remediation, level of effort should never be a pricing metric, in much the same way that a surgeons salary should not be based on number of lives saved.

      This is especially true when the cost savings and reputation mitigation for a multi-billion dollar corporation is a hell of a lot more than the bounty reward.

      TL; DR - Current bug bounty levels are pathetic. Bounty payout should be relative to corporate reward, or at least priced high enough to entice everyone away from the black market.

  13. No price entices everyone from crime by raymorris · · Score: 1

    > level of effort should never be a pricing metric, in much the same way that a surgeons salary should not

    You may notice that becoming a surgeon requires a ton of effort. Therefore, people don't generally put out that level of effort unless they'll be well paid for it.

    > at least priced high enough to entice everyone away from the black market.

    There is no price, for any service, that customers are willing to pay and will entice everyone to do good rather than crime. Accountants get paid well to do things right, some choose crime instead. That'll always be true.

    1. Re:No price entices everyone from crime by geekmux · · Score: 1

      > level of effort should never be a pricing metric, in much the same way that a surgeons salary should not

      You may notice that becoming a surgeon requires a ton of effort. Therefore, people don't generally put out that level of effort unless they'll be well paid for it.

      You may notice that obtaining a high-end security certification requires a ton of studying, as well as years of direct experience and hands-on work in the field. Therefore, people don't generally put in that level of effort unless they'll be well paid for it. And they are, which is my entire fucking point. I've seen my company pay upwards of $400/hr. for security-related work.

      > at least priced high enough to entice everyone away from the black market.

      There is no price, for any service, that customers are willing to pay and will entice everyone to do good rather than crime. Accountants get paid well to do things right, some choose crime instead. That'll always be true.

      Accountants get paid far more than a paltry bounty, for the same reasons I've already cited. My point stands.

  14. another reason to leave by Doke · · Score: 1

    As if there weren't already enough reasons for users to dump Yahoo?

  15. Who? by Anonymous Coward · · Score: 0

    Who?

  16. They should fix their email web interface by OneHundredAndTen · · Score: 1

    It is the slowest, most ponderous, most irritating one out there bar none. I hope this year they will not add those ridiculous Christmas gimmicks, which make it even slower, more ponderous and more irritating.