Yahoo has patched a vulnerability in the firm’s email service which allowed cyberattackers to spoof Yahoo email addresses.
The bug was discovered by independent researcher Lawrence Amer and published through Vulnerability Lab on Full Disclosure. On Monday, the security researcher released details of the flaw publicly, saying the sender spoofing vulnerability affected the Yahoo webmail application.
Cyberattackers are able to remotely spoof the sender names of Yahoo email users through a vulnerability found within the “compose message” module of the web service. A weakness in the system permits users to inject or intercept traffic in the POST/GET parameters, spoofing the email address to whatever sender name they wish.
This vulnerability is problematic as spoofed email addresses are often used in spear phishing campaigns — fraudulent emails which are sent for the purposes of information theft or in order to dupe a victim into installing malware on their systems. If a user receives an email from a spoofed Yahoo address which then seems legitimate, they may be more likely to fall for such a campaign.
The exploit is considered a medium severity issue. The researcher’s proof of concept (PoC) video is below.
Yahoo was made aware of the flaw in October last year, and the company’s developers were able to create a patch to fix the issue at the end of February 2016. Amer submitted the email security flaw through Yahoo’s Bug Bounty program, hosted on HackerOne.
The vulnerability has now been fixed, but it is not known how much the researcher earned for his work.