Yet Another Yahoo! Security Issue

The Yahoo! logo that was introduced in 2013 and features dual-tone purple/violet thin-walled lettering.

Yahoo! has fixed a major security flaw. This one was with their Yahoo! Mail email service that allowed an attacker to embed JavaScript in an email and have it execute. This would allow an attacker to gain access to all of a person’s email and Yahoo! account just by them opening an infected email.

How was it done? Yahoo!, like many other email services, strips HTML and most attributes from emails that are received. However, not all are filtered and normally it would not matter if JavaScript were embedded in an attribute – it needs to be encoded and won’t get executed anyway. However, thanks to the video and image previews that have been added in recent years (the ones that show YouTube or Vimeo video preview icons or previews of images attached to an email), some data-x attributes are used to allow the JavaScript Yahoo! wrote to generate a preview block:

Yahoo! Mail XSS Bug

So a security researcher thought… what would happen if I embedded a script inside the element data parameter? So he tried it:

<div class="yahoo-link-enhancr-card" data-url=";&gt;&lt;img src=x onerror=alert(/xss/)&gt;&lt;">

What happened when he sent himself the infected email to his Yahoo! account?

Yahoo! Mail showing a popup generated from a received email

Uh oh…

But that is just some script embedded in an attribute, why is it getting converted to actual HTML? He began digging through Yahoo!’s JavaScript – the part that generates those video and image previews. He found a piece of code that was simply taking the contents of a couple of the parameters and embedding it within the page as HTML:

function generateButton(e,t) {
    var n=this,r;
    t.insert(['<button data-share-url="',e,'" class="',o,'"> \
    <span class="icon icon-social"></span> \
    </button>'].join(""));"."+o); n._attachButtonListeners(r);


With that kind of power an attacker could gain access to all of the emails from anyone that opened an infected email, send email as said user, or even do other actions with their account.

The researcher submitted the flaw prior to releasing the details and Yahoo! has fixed the issue.

Leave a Reply

Your email address will not be published.