Yahoo mail had a serious cross-site scripting (XSS) vulnerability that affected more than 300 million email accounts globally. It was patched earlier this month, bagging a $10,000 bug bounty for the researcher who discovered it.

The flaw allowed malicious JavaScript code to be embedded in a specially formatted email message. The code would be automatically evaluated when the message was viewed. The JavaScript could be used to then compromise the account, change its settings, and forward or send email without the user's consent.

Jouko Pynnönen of Klikki Oy, Finland, explained: “Yahoo Mail displays HTML-formatted email messages after filtering any potentially malicious code. The problem lies in this process. Certain malformed HTML code could pass the filter.”

All versions of Yahoo mail were affected which is the second largest email service worldwide.

"We provided Yahoo with a proof of concept email that would forward the victim user's inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits in the wild,” explained Pynnönen.

Source: InfoSecurity