back to article Yahoo! Mail! Had! Nasty! XSS! Bug!

A stored XSS vuln in Yahoo! Mail has netted Finnish researcher Jouko Pynnönen of Klikki Oy a US$10,000 bug bounty. Pynnönen turned up the bug with a bit of old-fashioned brute force: he fed the system an HTML e-mail containing “all known HTML tags and attributes” to see what survived the Purple Palace's filters. What's …

  1. Anonymous Coward
    Anonymous Coward

    Yahoo! Mail! Had! Nasty! XSS! Bug!

    Again!

    Fixed.

  2. Anonymous Coward
    Anonymous Coward

    What about the address book being stolen?

    I had contents of my Yahoo address book stolen and was being used by someone who used it to spam everyone. Yahoo just said that I should change my password. I am sure if they knew my password, they would have done a lot more than just steal my address book contents. Maybe someone from The Register would like to investigate this?

    1. David Gosnell

      Re: What about the address book being stolen?

      Hijacked Yahoo spam seems ten-a-penny these days, and it (along with other webmails) has always been significant. In trying to find advice for afflicted users, there seems to be precious little detail around as to what's happening. I suspect some have been phished, but doubt that's the whole story.

    2. Hans 1 Silver badge
      Windows

      Re: What about the address book being stolen?

      Did you provide fecebook with your email address and email account password when they kindly asked to look for your fiends ? Maybe, other sites like that also try the trick ...

    3. leexgx

      Re: What about the address book being stolen?

      they don't know your password yahoo seems have an issue that, the spam people can steal your session ID (don't ask me how) and once in they scan every single email you have as well as address book and then send an link to each email (as to why you get so many delivery failed messages)

      note this also bypasses the 2 factor login that yahoo poorly implements

      you Must make sure you have a Valid phone number or email attached to your account Before you change your password, as once you change the password your account will get locked out as the spammer Bot tries to use your account multiple times to send spam again and in turn locking it out (an customer i had went to yesterday lucky had a number on the account as they changed the password even though i told them not to until i come around but did it any way, but there number was on the account so all was good in the end)

      this happened to 4-5 people i know, they did not disclose their password (well at least 2 of them did as they use yahoo from the email app and 1 of them had 2factor enabled as well )

      1. PhilBuk

        Re: What about the address book being stolen?

        Ever thought about using capital letters, full stops, commas, the whole sentence sort of thing? Makes your outpouring a bit more readable.

  3. Mike 125

    Real issues...

    People love to slag Yahoo, but IMHO most of its problems now are caused by the ignorance and appalling hygiene of your average Yahoo user.

    Let's not forget - it was a lot of people's first webmail account, back when 12345 was good enough. I always know when someone's account has succumbed: a strange 'Hi' arrives from someone not heard from in years. And on contact, they've often forgotten all about the account long ago. And I also know people who click on every f#king thing that arrives.

    But yea, clearly there are real issues here too.

  4. Spender

    This looks like the kind of problem

    caused by using regular expressions to filter HTML content. Regular expressions are very poorly suited to the job of dealing with HTML and getting the filtering right becomes a game of whack-a-mole, as we can see here. If the content's going to a browser, it should be parsed with the same tools that a browser uses. To suppose that a "parser" built using completely different technology can stay current is talk from imagination-land.

  5. Mark Allen

    Regular problem

    I have a couple of clients who regularly get their Yahoo accounts hijacked. Older clients so will have fairly tame surfing habits, though one of them visits a lot of hotels. Maybe that is the route. Hard to tell.

    The same pattern happens each time where the scammer mails out "Help I need cash" messages from the yahoo account to everyone in the address book. They then delete your address book. The ReplyTo: address will have been changed on the account. Often to the same name but at a different free mail host. So anyone replying to the scam will be directed to the scammer.

    Last time this had happened the broken Yahoo mail interface was stopping us correct the issue due to a bug in the interface, but I flipped back to the old interface and all was well again.

    You really have to dig deep into all the settings to remove all traces of the scammer's control of the account. They tend to go in and change as many of the contact details as possible.

    2FA is now enabled, but as it is Yahoo I am still expecting to hear back from one of these clients again soon the next time the account is hijacked.

    And to the commentard above who claim this is just idiot users... with my clients there have been no typing in details on phishing sites. I train a healthy level of paranoia into my clients which means they have certainly not done anything as daft as that. I wish I could get them off of the Yahoo accounts, but they often don't like change.

    1. Spasticus Autisticus
      Mushroom

      Re: Regular problem

      I get quite a few "Help I need cash" from @btinternet.com email accounts too. BT are supposedly moving their email off the Yahoo servers sometime, whenever I speak to the BT help line and ask when my and many of my customer's email will be moved off the shitty Yahoo servers they always say soon. <rant>This has been going on for years, I ask "is soon weeks? months? or what?", they answer weeks. I suppose 100 weeks is still weeks but will I see my btinternet.com account moved before I die - what a bunch of counts.</rant>

      Icon for everything BT & Yahoo

      1. Mark Allen

        Re: Regular problem

        This has puzzled me to. When Yahoo! is so bad that even BT want to leave, it is a puzzle why their exodus is so slow.

        When Sky left Google for Yahoo! that all happened pretty quick. Similar when VirginMedia left Google - matter of months and job was done (yeah, yeah... just a different set of bugs in the spam filters but that is a different story)

        It is just bizarre that BT can take so many years to get away from the Yahoo mess. I always find it funny if I am on the phone to BT Support on behalf of a client. You notice that disconnect as an issue passes from BT's Support Team to the Yahoo! Support Team. I've had a few clients who get stuck in a finger pointing exercise of BT blaming Yahoo and Yahoo blaming BT.

        Standard advice to clients - RUN AWAY and get a gmail.com, outlook.com, vivaldi.net or ANY other "free" email account and break free of this mess.

        (Trouble is the evil Yahoo makes it very hard to export folders as they keep breaking their IMAP access... does Yahoo get *anything* right?)

  6. Anonymous Coward
    Anonymous Coward

    Oh come on!!!

    Burpsuite's in-built vulnerability scanner, admittedly not the best, caters for exactly this kind of fuzzing, so the question is, why didn't yahoo discover it first... Burpsuite costs 250 US$ a year for a single licence.... Do you vulnerability??

  7. andrewj

    Yahoo Mail is one big nasty bug these days.

  8. Solmyr ibn Wali Barad

    offtopic!

    Have to admit it was rather worrying to read several Yahoo! related articles without requisite exlamation marks. Seems that normal service is being restored.

    Articles in concern:

    m.theregister.co.uk/2016/01/14/yahoo_dumps_135tb_of_users_news_interaction_data_for_machine_eating/

    m.theregister.co.uk/2016/01/13/ok_to_spy_on_employees_at_work_european_court/

    m.theregister.co.uk/2015/12/14/hedge_fund_manager_can_turn_yahoo_around/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019