Monday, 12 December 2016

Hackers to read any email ,Yahoo patches critical XSS vulnerability

The flaw was discovered and reported by Finland-based security researcher Jouko Pynnonen who earned $10,000 for the feat from Yahoo’s bug bounty program. The flaw allowed an attacker to read a victim’s email or create a virus infecting Yahoo Mail accounts among other things.
Unlike other email phishing scams and ransomware attacks, there is no need for the hacker to send a virus or trick the victim into clicking a specific link. Attackers would just send a mail to victims to access their emails.
#Yahoo #XSS #Hacking – Yahoo patches critical XSS vulnerability that would allow hackers to read any email – Yahoo, which was in the limelight for revealing a massive hack on its users earlier this year, has fixed a highly critical cross-site scripting (XSS) security flaw in its email system that would have allowed attackers to access any email.
An investigation, however, showed that attackers could very well bypass the filtration process by sending a YouTube link in the email that allows the hacker to execute JavaScript code and read user’s emails.
The report of the critical flaw comes just months after the tech giant admitted that massive data breach in 2014 gave access to information of more than 500 million user accounts. The attack, which is the largest in the history of the Internet, gave hackers access to names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords of users. The company later blamed the attack on state-sponsored parties but did not name any country.
The bug in this case resided in the email’s HTML filtering. When someone sends an email with different kinds of attachments to inspect the “raw” HTML of that email for security reasons, Yahoo uses the filtering process for HTML messages to keep malicious codes at bay.