Skip Ribbon Commands
Skip to main content
Computer Emergency Response Team of Mauritius (CERT-MU)
Computer Emergency Response Team of Mauritius>Cross-site scripting (XSS) vulnerability found on mobile site of Yahoo! Mail

Cross-site scripting (XSS) vulnerability found on mobile site of Yahoo! Mail

Security researcher discovered an easy-to-exploit cross-site scripting (XSS) vulnerability in Yahoo Mail’s mobile site. All an attacker needed to do was compose an email that contains an XSS payload and send it to their target. The payload was completed once the victim opened their Yahoo Mail from the mobile site. The malicious code could've been executed even without the victim opening the attacker's email—simply opening the inbox from the mobile site was enough to do the trick. An attacker can use this vulnerability to execute JavaScript on the victim's browser. He can steal non-protected cookies, he can redirect the victim to malicious domains, or direct them to malicious files to download, or even phishing pages that ask them to enter their Yahoo credentials. Raafat reported that the flaw did not affect Yahoo Mail mobile applications. Yahoo! was advised of the vulnerability on 11 November via HackerOne and the flaw was patched on 21 November.
SC Magazine
Team Cymru
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis