Yahoo Fixes Flaw Allowing an Attacker To Read Any User's Emails

Yahoo says it has fixed a severe security vulnerability in its email service that allowed an attacker to read a victim's email inbox. From a report on ZDNet: The cross-site scripting (XSS) attack only required a victim to view an email in Yahoo Mail. The internet giant paid out $10,000 to security researcher Jouko Pynnonen for privately disclosing the flaw through the HackerOne bug bounty, In a write-up, Pynnonen said that the flaw was similar to last year's Yahoo Mail bug, which similarly let an attacker compromise a user's account. Yahoo filters HTML messages to ensure that malicious code won't make it through into the user's browser, but the researcher found that the filters didn't catch all of the malicious data attributes.

Slap-in-the-face rewards and impact.

[geekmux]

"The internet giant paid out $10,000...

So being able to read your customers email is only worth $10,000 to you, Yahoo?

Don't be surprised if you find the next hack against you was sold to the black market for half that amount, simply because you're too fucking cheap to offer up more than a financial slap in the face.

One would think money talks would be a well-known and understood concept to a greedy corporation.

Re:a posible zero day

[TheReaperD]

Thankfully, it's easier for a web service to fix issues like this because they don't have to try and figure out how to get millions of end users to actually update their software to fix problems.

The hacker will enjoy my emails

[lmcgeoch]

Well, the only yahoo mail, I have I use for my Flylady emails. The hacker will learn how to enjoy the holidays while getting all the holiday chores done without any stress or inconvenience to our families. :) Enjoy your hacker you!