Yahoo says it has fixed a severe security vulnerability in its email service that allowed an attacker to read a victim’s email inbox. From a report on ZDNet: The cross-site scripting (XSS) attack only required a victim to view an email in Yahoo Mail. The internet giant paid out $10,000 to security researcher Jouko Pynnonen for privately disclosing the flaw through the HackerOne bug bounty, In a write-up, Pynnonen said that the flaw was similar to last year’s Yahoo Mail bug, which similarly let an attacker compromise a user’s account. Yahoo filters HTML messages to ensure that malicious code won’t make it through into the user’s browser, but the researcher found that the filters didn’t catch all of the malicious data attributes.

Read more of this story at Slashdot.

Source: Slashdot – Yahoo Fixes Flaw Allowing an Attacker To Read Any User’s Emails