Yahoo fixes mailbox vulnerabilities and researchers receive a $10 thousand prize

Yahoo fixes mailbox vulnerabilities and researchers receive a $10 thousand prize

Yahoo has fixed a vulnerability that attackers can use to hijack users' mailboxes.
This vulnerability has serious dangers.
According to the latest news, Yahoo has fixed the XSS vulnerability. Earlier malicious attackers can exploit this vulnerability to send malicious emails and then obtain information about the target account. For XSS cross-site scripting attacks, malicious code can be embedded into Web pages that can be accessed by other users through text information submitted by users, however, the website platform does not filter or verify the submitted text information, which is executed by the user's browser, resulting in XSS attacks.
In this process, malicious code runs with the same level of permissions as all other code on the page, which means that attackers can use it to obtain sensitive information of users, or attack users' personal browsers and computers. It is worth noting that malicious JavaScript code can be embedded in mail messages. This vulnerability is terrible because the code is executed even if the user only opens an email to read the message. Then, the attacker can completely break the victim's account and hijack settings, send an email even without permission or detection.
This vulnerability was discovered by Pynn önen, an information security expert:
"Malicious attackers can exploit this XSS vulnerability to obtain the permissions of the target account and then forward or directly send emails without the user's consent ."
Vulnerability fixed
The HTML tag in the mailbox is usually used to change the template and style of the mail, and allows users to add font, insert pictures, insert videos, and so on. Pynn önen added tags of different attributes to the email to observe how Yahoo handled every HTML tag in the email and then sent them to himself, the purpose is to observe what Yahoo has filtered out, and what is left. He uses the HTML Tag "" and replaces value2 with malicious code. In addition, there is a space between value1 and value2. Later, to prove the problem, he made a video which he could watch below.
It is also worth noting that the bug was fixed earlier in January shortly after it was notified of the security issue through the HackerOne vulnerability rewards program. Jouko Pynn önen, who eventually disclosed details to the sannewell-based company in California, was rewarded with $10 thousand (about 9200 euros.
Yahoo said the vulnerability has not been actually used and was fixed in January 6, 2016.

Yahoo has fixed a vulnerability that attackers can use to hijack users' mailboxes.
This vulnerability has serious dangers.
According to the latest news, Yahoo has fixed the XSS vulnerability. Earlier malicious attackers can exploit this vulnerability to send malicious emails and then obtain information about the target account. For XSS cross-site scripting attacks, malicious code can be embedded into Web pages that can be accessed by other users through text information submitted by users, however, the website platform does not filter or verify the submitted text information, which is executed by the user's browser, resulting in XSS attacks.
In this process, malicious code runs with the same level of permissions as all other code on the page, which means that attackers can use it to obtain sensitive information of users, or attack users' personal browsers and computers. It is worth noting that malicious JavaScript code can be embedded in mail messages. This vulnerability is terrible because the code is executed even if the user only opens an email to read the message. Then, the attacker can completely break the victim's account and hijack settings, send an email even without permission or detection.
This vulnerability was discovered by Pynn önen, an information security expert:
"Malicious attackers can exploit this XSS vulnerability to obtain the permissions of the target account and then forward or directly send emails without the user's consent ."
Vulnerability fixed
The HTML tag in the mailbox is usually used to change the template and style of the mail, and allows users to add font, insert pictures, insert videos, and so on. Pynn önen added tags of different attributes to the email to observe how Yahoo handled every HTML tag in the email and then sent them to himself, the purpose is to observe what Yahoo has filtered out, and what is left. He uses the HTML Tag "" and replaces value2 with malicious code. In addition, there is a space between value1 and value2. Later, to prove the problem, he made a video which he could watch below.
It is also worth noting that the bug was fixed earlier in January shortly after it was notified of the security issue through the HackerOne vulnerability rewards program. Jouko Pynn önen, who eventually disclosed details to the sannewell-based company in California, was rewarded with $10 thousand (about 9200 euros.
Yahoo said the vulnerability has not been actually used and was fixed in January 6, 2016.