Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Yahoo! Security

Yahoo Fixes Flaw Allowing an Attacker To Read Any User's Emails (zdnet.com) 30

Yahoo says it has fixed a severe security vulnerability in its email service that allowed an attacker to read a victim's email inbox. From a report on ZDNet: The cross-site scripting (XSS) attack only required a victim to view an email in Yahoo Mail. The internet giant paid out $10,000 to security researcher Jouko Pynnonen for privately disclosing the flaw through the HackerOne bug bounty, In a write-up, Pynnonen said that the flaw was similar to last year's Yahoo Mail bug, which similarly let an attacker compromise a user's account. Yahoo filters HTML messages to ensure that malicious code won't make it through into the user's browser, but the researcher found that the filters didn't catch all of the malicious data attributes.
This discussion has been archived. No new comments can be posted.

Yahoo Fixes Flaw Allowing an Attacker To Read Any User's Emails

Comments Filter:
  • Now only the government read read users emails

  • by Anonymous Coward

    never works, you need to sandbox it or whitelist or gtfo

  • by geekmux ( 1040042 ) on Thursday December 08, 2016 @01:19PM (#53446947)

    "The internet giant paid out $10,000...

    So being able to read your customers email is only worth $10,000 to you, Yahoo?

    Don't be surprised if you find the next hack against you was sold to the black market for half that amount, simply because you're too fucking cheap to offer up more than a financial slap in the face.

    One would think money talks would be a well-known and understood concept to a greedy corporation.

    • There are two sides to that. In a day I can run a suite of tools across a dozen such services. Those tools will find likely weak areas with little effort or time on my part. Over the next couple of days, I can explore the issues highlighted by the tools and quite possibly find an issue like this.

      At current bug-bounty levels, I could probably earn a bit more than I could make at a salaried position, while setting my own hours and exploring the things that interest me. So prices are reasonably fair. Anot

      • At current bug-bounty levels, I could probably earn a bit more than I could make at a salaried position, while setting my own hours and exploring the things that interest me. So prices are reasonably fair.

        Actually, no, they are not "fair". Case in point; A corporation selling security vulnerability analysis walks in the door. It might take them 5 minutes to configure their network scanning tool, and an hour to run it and produce the report, but you will certainly find that the level of effort does not incite them to charge any less for the report.

        When it comes to security analysis and remediation, level of effort should never be a pricing metric, in much the same way that a surgeons salary should not be ba

        • > level of effort should never be a pricing metric, in much the same way that a surgeons salary should not

          You may notice that becoming a surgeon requires a ton of effort. Therefore, people don't generally put out that level of effort unless they'll be well paid for it.

          > at least priced high enough to entice everyone away from the black market.

          There is no price, for any service, that customers are willing to pay and will entice everyone to do good rather than crime. Accountants get paid well to d

          • > level of effort should never be a pricing metric, in much the same way that a surgeons salary should not

            You may notice that becoming a surgeon requires a ton of effort. Therefore, people don't generally put out that level of effort unless they'll be well paid for it.

            You may notice that obtaining a high-end security certification requires a ton of studying, as well as years of direct experience and hands-on work in the field. Therefore, people don't generally put in that level of effort unless they'll be well paid for it. And they are, which is my entire fucking point. I've seen my company pay upwards of $400/hr. for security-related work.

            > at least priced high enough to entice everyone away from the black market.

            There is no price, for any service, that customers are willing to pay and will entice everyone to do good rather than crime. Accountants get paid well to do things right, some choose crime instead. That'll always be true.

            Accountants get paid far more than a paltry bounty, for the same reasons I've already cited. My point stands.

  • by Anonymous Coward

    fixed and reaveiled after the fact. nice and gg.

    • Thankfully, it's easier for a web service to fix issues like this because they don't have to try and figure out how to get millions of end users to actually update their software to fix problems.

  • Well, the only yahoo mail, I have I use for my Flylady emails. The hacker will learn how to enjoy the holidays while getting all the holiday chores done without any stress or inconvenience to our families. :) Enjoy your hacker you!
  • As if there weren't already enough reasons for users to dump Yahoo?

  • It is the slowest, most ponderous, most irritating one out there bar none. I hope this year they will not add those ridiculous Christmas gimmicks, which make it even slower, more ponderous and more irritating.

Think of your family tonight. Try to crawl home after the computer crashes.

Working...