A white-hat hacker found a way to hack into any Yahoo Mail account, and all he needed was to send an email to the target with some malicious code inside.
The security researcher, however, didn’t exploit this technique to break into anybody’s accounts. Instead, he alerted Yahoo about it, and earned a reward of $10,000 after the company fixed the bug at the end of last month.
Videos by VICE
Read more: The MySpace Worm that Changed the Internet Forever
2016 wasn’t a great year for Yahoo’s security team. The company admitted that hackers had stolen more than 500 million passwords in 2014, and media reports revealed the US government ordered the company to install what some described as a “hacking tool” to monitor its users.
The bug recently discovered by the white-hat hacker Jouko Pynnönen is a nasty one, but at least it was caught by a good guy, and there’s no evidence any cybercriminal exploited it.
Pynnönen, a researcher at Finnish security company Klikki Oy who has a knack for finding similar bugs in other websites like WordPress, said he was surprised to find this bug, especially because he caught a very similar one in Yahoo Mail last year.
“Maybe like what a gold digger feels when finding a nugget.”
“It’s always some kind of surprise to find a serious vulnerability on a website of this caliber,” Pynnönen told Motherboard in an email. “Maybe like what a gold digger feels when finding a nugget.”
Pynnönen found that a hacker could sneak malicious JavaScript code past Yahoo Mail’s filters by abusing the way Yahoo Mail displays links to sites such as YouTube. All he had to do was to embed JavaScript within a specially-crafted email containing a YouTube video link, as he explained in a blog post published on Thursday. In technical terms, this is a cross-site scripting (XSS) vulnerability, a classic web bug.
A victim could be compromised just by opening the email. At that point, in theory, the hacker could have accessed the victim’s inbox, stealing all their messages, and even spread a virus targeting other Yahoo Mail users, according to Pynnönen.
“What should send a chill down the spine is that an attack exploiting the vulnerability would not require any user interaction,” Graham Cluley, a well-known security expert, wrote in a blog post. “All a victim would have to do to have their account compromised is simply view an email, with no requirement to click on a link or open an attachment.”
A Yahoo spokesperson said that the company “has developed one of the largest and most successful bug bounty programs in the industry.”
“We’ve paid out more than $2 million in bounties, resolved more than 3,000 security bugs and maintain a ‘hackership’ of more than 2,000 researchers, some of whom make careers out of it,” the spokesperson’s email statement read.
This story has been updated to include Yahoo’s statement.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.