Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Fixes Flaw Allowing an Attacker To Read Any User's Emails (zdnet.com)

Posted by msmash on from the security-woes-and-fixes dept.

Yahoo says it has fixed a severe security vulnerability in its email service that allowed an attacker to read a victim's email inbox. From a report on ZDNet: The cross-site scripting (XSS) attack only required a victim to view an email in Yahoo Mail. The internet giant paid out $10,000 to security researcher Jouko Pynnonen for privately disclosing the flaw through the HackerOne bug bounty, In a write-up, Pynnonen said that the flaw was similar to last year's Yahoo Mail bug, which similarly let an attacker compromise a user's account. Yahoo filters HTML messages to ensure that malicious code won't make it through into the user's browser, but the researcher found that the filters didn't catch all of the malicious data attributes.

15 of 30 comments (clear)

  1. Yes by fustakrakich · · Score: 1

    Now only the government read read users emails

    --
    “He’s not deformed, he’s just drunk!”
  2. blacklisting HTML by Anonymous Coward · · Score: 1

    never works, you need to sandbox it or whitelist or gtfo

  3. Slap-in-the-face rewards and impact. by geekmux · · Score: 3, Insightful

    "The internet giant paid out $10,000...

    So being able to read your customers email is only worth $10,000 to you, Yahoo?

    Don't be surprised if you find the next hack against you was sold to the black market for half that amount, simply because you're too fucking cheap to offer up more than a financial slap in the face.

    One would think money talks would be a well-known and understood concept to a greedy corporation.

  4. a posible zero day by Anonymous Coward · · Score: 1

    fixed and reaveiled after the fact. nice and gg.

    1. Re:a posible zero day by TheReaperD · · Score: 2

      Thankfully, it's easier for a web service to fix issues like this because they don't have to try and figure out how to get millions of end users to actually update their software to fix problems.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
  5. The hacker will enjoy my emails by lmcgeoch · · Score: 2

    Well, the only yahoo mail, I have I use for my Flylady emails. The hacker will learn how to enjoy the holidays while getting all the holiday chores done without any stress or inconvenience to our families. :) Enjoy your hacker you!

  6. Re:$10000 for critical bug discovery by 110010001000 · · Score: 1

    +5 insightful.

  7. Two sides to that. For a week's work, not bad by raymorris · · Score: 1

    There are two sides to that. In a day I can run a suite of tools across a dozen such services. Those tools will find likely weak areas with little effort or time on my part. Over the next couple of days, I can explore the issues highlighted by the tools and quite possibly find an issue like this.

    At current bug-bounty levels, I could probably earn a bit more than I could make at a salaried position, while setting my own hours and exploring the things that interest me. So prices are reasonably fair. Another way of looking at that is that skilled people DO in fact participate in bug bounty programs, so they find it worthwhile.

    Yes, in theory committing crimes could be an easier way for people to make money, until they go to prison. A bank robber makes more per hour than a bank teller.

    1. Re:Two sides to that. For a week's work, not bad by geekmux · · Score: 1

      At current bug-bounty levels, I could probably earn a bit more than I could make at a salaried position, while setting my own hours and exploring the things that interest me. So prices are reasonably fair.

      Actually, no, they are not "fair". Case in point; A corporation selling security vulnerability analysis walks in the door. It might take them 5 minutes to configure their network scanning tool, and an hour to run it and produce the report, but you will certainly find that the level of effort does not incite them to charge any less for the report.

      When it comes to security analysis and remediation, level of effort should never be a pricing metric, in much the same way that a surgeons salary should not be based on number of lives saved.

      This is especially true when the cost savings and reputation mitigation for a multi-billion dollar corporation is a hell of a lot more than the bounty reward.

      TL; DR - Current bug bounty levels are pathetic. Bounty payout should be relative to corporate reward, or at least priced high enough to entice everyone away from the black market.

  8. No price entices everyone from crime by raymorris · · Score: 1

    > level of effort should never be a pricing metric, in much the same way that a surgeons salary should not

    You may notice that becoming a surgeon requires a ton of effort. Therefore, people don't generally put out that level of effort unless they'll be well paid for it.

    > at least priced high enough to entice everyone away from the black market.

    There is no price, for any service, that customers are willing to pay and will entice everyone to do good rather than crime. Accountants get paid well to do things right, some choose crime instead. That'll always be true.

    1. Re:No price entices everyone from crime by geekmux · · Score: 1

      > level of effort should never be a pricing metric, in much the same way that a surgeons salary should not

      You may notice that becoming a surgeon requires a ton of effort. Therefore, people don't generally put out that level of effort unless they'll be well paid for it.

      You may notice that obtaining a high-end security certification requires a ton of studying, as well as years of direct experience and hands-on work in the field. Therefore, people don't generally put in that level of effort unless they'll be well paid for it. And they are, which is my entire fucking point. I've seen my company pay upwards of $400/hr. for security-related work.

      > at least priced high enough to entice everyone away from the black market.

      There is no price, for any service, that customers are willing to pay and will entice everyone to do good rather than crime. Accountants get paid well to do things right, some choose crime instead. That'll always be true.

      Accountants get paid far more than a paltry bounty, for the same reasons I've already cited. My point stands.

  9. another reason to leave by Doke · · Score: 1

    As if there weren't already enough reasons for users to dump Yahoo?

  10. They should fix their email web interface by OneHundredAndTen · · Score: 1

    It is the slowest, most ponderous, most irritating one out there bar none. I hope this year they will not add those ridiculous Christmas gimmicks, which make it even slower, more ponderous and more irritating.

  11. Re: And it a flaw on POP too? by Ilgaz · · Score: 1

    They still don't provide SSL IMAP even if you pay? I remember they declined to support even APOP back in the day.

    I am paying to Fastmail guys, they even try to make (open, documented) progress on IMAP protocol.

  12. Re: Why in the World? by Ilgaz · · Score: 1

    Just like cellular providers in some countries, free forward of email to other domains should be mandatory for commercial/adware (yes,adware) providers.

    There were the days even Hotmail was a nice, clean e-mail service. Nobody can blame anyone for sticking with decade+ old address. I know a very good, respected commercial shareware developer using his @aol.com email.