Yahoo Mail has fixed a bug in its software that left hundreds of millions of users vulnerable to specially crafted emails that could have been used to steal data or spread malware on a huge scale.
The flaw was so bad that users didn’t even have to open the emails to be affected.
The bug was closed by Yahoo on 21 November, just ten days after it was reported by penetration tester Ibrahim Raafat.
Raafat discovered that users of Yahoo Mail’s mobile interface were vulnerable to an XSS (Cross-Site Scripting) attack, one of the most common and easily thwarted forms of attack that websites face.
XSS vulnerabilities can happen anywhere that a web page includes information supplied by a user but doesn’t properly sanitise or encode it.
Such attacks turn otherwise legitimate websites in to platforms that can be used to attack users.
User-supplied information (such as blog comments or forum posts) that aren’t properly encoded are treated as code by web browsers. The malicious code is run with the same level of trust as all the other code on the page, which means that an attacker can use it to harvest cookies or other sensitive information, or to attack the web browser or computer of somebody looking at the page.
What Rafaat discovered was that the mobile version of Yahoo Mail, a website that people use to read emails, didn’t properly encode the content of the emails its users received.
All he had to do was write an email with some code in it instead of text and the recipient’s browser would unwittingly run it when it appeared in Yahoo Mail. To make matters worse, it seems that the victim didn’t even have to open the email – it only had to appear unopened in their inbox in order to run.
Raafat captured how easy it was to exploit in a simple video on his site, PWN Rules.
Rather than stealing cookies or spreading malware silently Raafat simply writes an email that includes code to open a ‘prompt’ window – an obvious, visual signal that his email is being treated as code rather than content.
Yahoo Mail has hundreds of millions of users, so a successful in-the-wild exploit of this vulnerability, which could easily have piggybacked off of industrial-scale channels for sending spam that already exist, could have been extremely serious.
For his efforts Rafaat earned Yahoo’s thanks and an undisclosed bug bounty.