The déjà vu is real for Finnish security researcher Jouko Pynnonen.
Just shy of a year ago, Pynnonen privately disclosed a stored cross-site scripting vulnerability in Yahoo Mail, and was rewarded with a $10,000 bounty through Yahoo’s HackerOne program.
Fast forward to last month, and there was Pynnonen again finding and disclosing a brand new stored XSS bug in Yahoo Mail and collecting another $10,000 bounty.
The vulnerability was patched Nov. 29, 17 days after Pynnonen reported the issue to Yahoo.
The bug presented users with similar risks as the 2015 entry, namely an attacker could exploit the flaw to read a victim’s email, infect a victim’s machine with malware or exploit other vulnerabilities.
A victim, meanwhile, need only view an email sent by an attacker. No other interaction is necessary, Pynnonen said.
In fact the attack can be carried out without even registering on Yahoo Mail. Only the victim’s Yahoo email address is needed.”
YouTube video links in Yahoo Mail, for example, generate a link enhancer card which provides a preview of the content in an email message.
“When a message containing this kind of markup is opened in Yahoo Mail, it will add the video embedded in an <IFRAME> tag.
A share button is also displayed next to the video.
I tried creating an email with ‘abusive’ data-* attributes and bingo!, found a pathological case pretty quickly.
Inserting a quote symbol in the data-url value caused broken HTML in the share button.
As long as the URL pointed to a white-listed website such as YouTube, it was not further sanity checked or encoded.
The value was used as is for setting a div innerHTMLto create the button.
Last Dec. 26, Pynnonen disclosed a similar bug to Yahoo that was patched Jan. 6.
The $10,000 bounties are among the largest paid out by Yahoo’s bounty program.
“The impact is the same,” Pynnonen said in comparing the two vulnerabilities. “The difference is in how the email has to be formatted in order to achieve script execution.”