Yahoo Fixes Flaw Allowing an Attacker To Read Any User's Emails (zdnet.com) 30
Yahoo says it has fixed a severe security vulnerability in its email service that allowed an attacker to read a victim's email inbox. From a report on ZDNet: The cross-site scripting (XSS) attack only required a victim to view an email in Yahoo Mail. The internet giant paid out $10,000 to security researcher Jouko Pynnonen for privately disclosing the flaw through the HackerOne bug bounty, In a write-up, Pynnonen said that the flaw was similar to last year's Yahoo Mail bug, which similarly let an attacker compromise a user's account. Yahoo filters HTML messages to ensure that malicious code won't make it through into the user's browser, but the researcher found that the filters didn't catch all of the malicious data attributes.
Yes (Score:1)
Now only the government read read users emails
Re: And it a flaw on POP too? (Score:1)
They still don't provide SSL IMAP even if you pay? I remember they declined to support even APOP back in the day.
I am paying to Fastmail guys, they even try to make (open, documented) progress on IMAP protocol.
blacklisting HTML (Score:1)
never works, you need to sandbox it or whitelist or gtfo
Re: Why in the World? (Score:1)
Just like cellular providers in some countries, free forward of email to other domains should be mandatory for commercial/adware (yes,adware) providers.
There were the days even Hotmail was a nice, clean e-mail service. Nobody can blame anyone for sticking with decade+ old address. I know a very good, respected commercial shareware developer using his @aol.com email.
Slap-in-the-face rewards and impact. (Score:4, Insightful)
"The internet giant paid out $10,000...
So being able to read your customers email is only worth $10,000 to you, Yahoo?
Don't be surprised if you find the next hack against you was sold to the black market for half that amount, simply because you're too fucking cheap to offer up more than a financial slap in the face.
One would think money talks would be a well-known and understood concept to a greedy corporation.
Two sides to that. For a week's work, not bad (Score:2)
There are two sides to that. In a day I can run a suite of tools across a dozen such services. Those tools will find likely weak areas with little effort or time on my part. Over the next couple of days, I can explore the issues highlighted by the tools and quite possibly find an issue like this.
At current bug-bounty levels, I could probably earn a bit more than I could make at a salaried position, while setting my own hours and exploring the things that interest me. So prices are reasonably fair. Anot
Re: (Score:2)
At current bug-bounty levels, I could probably earn a bit more than I could make at a salaried position, while setting my own hours and exploring the things that interest me. So prices are reasonably fair.
Actually, no, they are not "fair". Case in point; A corporation selling security vulnerability analysis walks in the door. It might take them 5 minutes to configure their network scanning tool, and an hour to run it and produce the report, but you will certainly find that the level of effort does not incite them to charge any less for the report.
When it comes to security analysis and remediation, level of effort should never be a pricing metric, in much the same way that a surgeons salary should not be ba
No price entices everyone from crime (Score:2)
> level of effort should never be a pricing metric, in much the same way that a surgeons salary should not
You may notice that becoming a surgeon requires a ton of effort. Therefore, people don't generally put out that level of effort unless they'll be well paid for it.
> at least priced high enough to entice everyone away from the black market.
There is no price, for any service, that customers are willing to pay and will entice everyone to do good rather than crime. Accountants get paid well to d
Re: (Score:2)
> level of effort should never be a pricing metric, in much the same way that a surgeons salary should not
You may notice that becoming a surgeon requires a ton of effort. Therefore, people don't generally put out that level of effort unless they'll be well paid for it.
You may notice that obtaining a high-end security certification requires a ton of studying, as well as years of direct experience and hands-on work in the field. Therefore, people don't generally put in that level of effort unless they'll be well paid for it. And they are, which is my entire fucking point. I've seen my company pay upwards of $400/hr. for security-related work.
> at least priced high enough to entice everyone away from the black market.
There is no price, for any service, that customers are willing to pay and will entice everyone to do good rather than crime. Accountants get paid well to do things right, some choose crime instead. That'll always be true.
Accountants get paid far more than a paltry bounty, for the same reasons I've already cited. My point stands.
a posible zero day (Score:1)
fixed and reaveiled after the fact. nice and gg.
Re: (Score:3)
Thankfully, it's easier for a web service to fix issues like this because they don't have to try and figure out how to get millions of end users to actually update their software to fix problems.
The hacker will enjoy my emails (Score:2)
Re: (Score:2)
another reason to leave (Score:2)
As if there weren't already enough reasons for users to dump Yahoo?
They should fix their email web interface (Score:2)