We provided Yahoo with a proof of concept email that would forward the victim user’s inbox to an external website, and an email virus which infects the Yahoo Mail account and attaches itself to all outgoing emails. The bug was fixed before any known exploits “in the wild”.
The bug has affected all versions of Yahoo’s webmail but not the mobile app. Yahoo Mail is reportedly the second-largest email service globally with almost 300 million email accounts as of February 2014.
As most email solutions these days, Yahoo Mail displays HTML-formatted email messages after filtering any potentially malicious code. The problem lies in this process. Certain malformed HTML code could pass the filter.
As a starting point for our investigation, a message containing all known HTML tags and attributes was created to see which of them the Yahoo filter lets through. After viewing the resulting email on Yahoo Mail, we noticed that if certain, supposedly “boolean” HTML attributes were given a value, the value was removed by the filter, but the equals sign was not. For example
<INPUT TYPE="checkbox" CHECKED="hello" NAME="check box">
<INPUT TYPE="checkbox" CHECKED= NAME="check box">
This may seem pretty harmless on the first look, but web browsers handle this case rather unintuitively: this is interpreted as CHECKED having the value NAME=”check, plus the tag containing a third attribute named box without a value. The behavior is based on the HTML specification which allows “zero or more space characters” around the equals sign in an unquoted attribute value.
The confusion can be exploited to insert unrestricted HTML attributes in tags that allow a “boolean” attribute. In the PoCs we used the <IMG> tag. Example:
<img ismap='xxx' itemtype='yyy style=width:100%;height:100%;position:fixed;left:0px;top:0px; onmouseover=alert(/XSS/)//'>
After Yahoo Mail filtering this would effectively become (some of the quote symbols edited for clarity):
<img ismap=itemtype=yyy style=width:100%;height:100%;position:fixed;left:0px;top:0px; onmouseover=alert(/XSS/)//>
The bug was found and reported to Yahoo on December 26, 2015 via the HackerOne bug bounty platform. The bug was fixed on January 6, 2016. Yahoo awarded a bounty of $10,000 for finding and reporting the flaw.
The vulnerability was discovered and researched by Jouko Pynnönen of Klikki Oy, Finland.
Updated January 19, 9:30 EET: Added a link to HTML specification.