Security researcher Klikki Oy has received a $10,000 bug bounty for discovering a security flaw in Yahoo Mail. The XSS vulnerability discovered could have allowed a potential attacker to forward the contents of the victim’s inbox to an external website and compromise the account itself. Yahoo learned about the threat last month, implemented a fix and rewarded the researcher through a bug bounty program.  

According to the original post, the vulnerability exploited the way Yahoo Mail processes HTML-formatted email messages: “As most email solutions these days, Yahoo Mail displays HTML-formatted email messages after filtering any potentially malicious code. The problem lies in this process. Certain malformed HTML code could pass the filter.” In this case, the malformed HTML code could be used to inject an email message with malicious JavaScript code. In the proof of concept video, this allowed the researcher to send an email with such Javascript code which forwarded the contents of the victim’s inbox to a specified website and to add additional code to the victim’s email signature, attaching it to all outgoing emails without the user’s knowledge.

Klikki Oy was awarded the $10,000 bug bounty through the HackerOne bug bounty program, a vulnerability management platform that works with the security research community. The platform was created by security professionals from Facebook, Microsoft, and Google, and claims to have facilitated the discovery and amendment of almost 17,000 bugs and to have paid out $5.83 million in such bounties. According to Litmus Labs, Yahoo Mail is the seventh most popular email client in the world. The vulnerability only affected web-based versions of Yahoo Mail, not its mobile application.