Yahoo Mail Fixes Security Flaw, Was Open to Account HiJacking

SMS Text

Yahoo Mail was open to hacker attacks due to a file size bug. ZDNet reports that a flaw in the Yahoo Mail system could have let attackers control victims’ Yahoo accounts

Yahoo has fixed a bug in its Yahoo Mail email system that would have allowed attackers to seize control of users’ email accounts. This bug enabled attackers to take control of a user’s account by simply sending them a specially crafted email.

The security flaw, according to eEye Digital Security’s Drew Copley:

Allowed attackers to by-pass the Web-mail system’s Javascript filters. Any message exceeding approximately 100kb in length would not be analysed by the filter, which is meant to strip messages of any potentially malicious Javascript.

“A remarkable note about this bug is that no one seems to have found it before,” Copley’s advisory reads. “As far as anyone knows.”

Technical Description:

[->a bunch of chars here [spaces are most stealth], the whole file size will be just about 100KB]
[this causes the filter to not work… the code is then run automatically]


The pseudo-diagram above explains the scenario rather well. For whatever reason, Yahoo’s email filter simply does not work on files which exceed a certain range. This kind of software issue is relatively common. A remarkable note about this bug is that no one seems to have found it before.

Yahoo has fixed the Yahoo Mail bug.

Loren Baker
Loren Baker is the Founder of SEJ, an Advisor at Alpha Brand Media and runs Foundation Digital, a digital marketing strategy & development agency.
Loren Baker
Download: The Beginner's Guide to SEO
A Complete Guide to Getting Started in SEO.